23542300x800000000000000015024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3F47CEB9DAECE5FA8A5030252E6068,SHA256=A12628CDDB34A8242DA4468C81F8DC6739988DF70C47C85329EC218075A09655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.545{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306A728D3D26CA9E06ED1E33D097FED3,SHA256=63B4DEBDE5E21DDA2F6D6F61417E1788F49D262134085687210D8285590A13AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:33.132{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56209-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000015026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:37.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72062EB147CD477A1D52B50BDABE603,SHA256=AE85C687F701DEB193A1724C14F08B340CF01ED1384B5FB22CD0C120E466BF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.637{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3E1A54412FEC8573DA731C61E7F04,SHA256=E2553B6702B56A899B59CF43D1D8D8D82074A0444C9CFEE6A99CA5D7DEED4EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.605{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8B8F350CDEC7DFB24F3098103A671F,SHA256=8F7CC2BB36AC6DBE3AC8F1F6E8327EB0327253308751D4B720E5A641C09347F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.572{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe 354300x800000000000000015025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.033{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50032-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.544{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=EF0129B3C545A4CD7B698E433D1F8D09,SHA256=02BAF19A4DB2E4A06170CD7A7CA206BBAA503346040E40578BA7F3AD4E873DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.409{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=7C6B6BC154BB430946EE8FB7451904FE,SHA256=5376B44DF0563BD96E3761840EC238A6BA0605698BF15D65231A35F91A81BF37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:35.518{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56210-false10.0.1.12-8000- 23542300x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.362{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8A08A55AEEF1BFB4B7EBAA918EAC675E,SHA256=1CC28EDA3A690723C012FF18675FEFA4967E8F186A85737111A3983102592E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.236{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.209{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.194{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.191{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.190{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.135{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.128{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe9.0.0.505---CountInstalltion.EXE"C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FAD{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPSConversion\FriendlyNamePSConversion 13241300x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginImanage10\FriendlyNameiManage 10 Integration 13241300x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitArchiveConnector\FriendlyNameAlfresco 13241300x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDMSforLegal\FriendlyNameDMSforLegal Integration 13241300x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareFile\FriendlyNameShareFile Integration 13241300x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSuite\FriendlyNameContentSuite Integration 13241300x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWorldox\FriendlyNameWorldox Integration 13241300x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEgnytePlugin\FriendlyNameEgnytePlugin 13241300x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocumentum\FriendlyNameDocumentum Integration 13241300x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\ACPPlugin\FriendlyNameACPPlugin 13241300x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\AmanoTimeStamp\FriendlyNameAmanoTimeStamp 13241300x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOpenText\FriendlyNameOpenText Integration 13241300x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSyndication\FriendlyNameFoxitInnerPluginContentSyndication 13241300x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNdOffice\FriendlyNameNdOffice 13241300x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginiManageWork\FriendlyNameiManage 9 Integration 13241300x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSubscribe\FriendlyNameFoxitInnerPluginSubscribe 13241300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLicenseManager\FriendlyNameFoxitInnerPluginLicenseManager 13241300x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitDrive\FriendlyNameFoxitInnerPluginFoxitDrive 13241300x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBrowser\FriendlyNameFoxitInnerPluginBrowser 13241300x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDF\FriendlyNameFoxitInnerPluginConnectedPDF 13241300x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitAccountManagement\FriendlyNameFoxitInnerPluginFoxitAccountManagement 13241300x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDFDRM\FriendlyNameConnectedPDF DRM 13241300x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOFDViewer\FriendlyNameFoxitOFDViewer 13241300x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginActionWizard\FriendlyNameActionWizard 13241300x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBoxPlugin\FriendlyNameBoxPlugin 13241300x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDropboxPlugin\FriendlyNameDropboxPlugin 13241300x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginGoogleDrive\FriendlyNameGoogleDrive 13241300x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDriveForBusiness\FriendlyNameOneDriveForBusiness 13241300x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDrive\FriendlyNameOneDrive 13241300x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerMetaDataHandling\FriendlyNameFoxitInnerMetaDataHandling 13241300x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\CusIntelRMSPlg\FriendlyNameCusIntelRMSPlg 13241300x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareReview\FriendlyNameShareReview 13241300x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginReadOutLoud\FriendlyNameSpeech 13241300x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCPDFOCLink\FriendlyNameFoxitInnerPluginCPDFOCLink 13241300x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginTouchup\FriendlyNameEdit Text 13241300x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageEditor\FriendlyNameEdit Object 13241300x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginIntegrateWithSP\FriendlyNameIntegrateWithSP 13241300x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWip\FriendlyNameWIP 13241300x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitRMS_V2\FriendlyNameFoxitRMS_V2 13241300x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FileOpen\FriendlyNameFileOpen 13241300x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocuSign\FriendlyNameDocuSign 13241300x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginComparePDF\FriendlyNameComparePDF 13241300x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCommentsSummary\FriendlyNameCommentsSummary 13241300x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPlgDynLoader\FriendlyNamePlgDynLoader 13241300x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitUpdater\FriendlyNameFoxitUpdater 13241300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCalculator\FriendlyNameAccounting Calculator 10341000x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5510|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e6401|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e64c1|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9816|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60d60|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+45cfd|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60eb0 154100x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.764{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe12.1.0.15250Foxit PDF Reader 12.1Foxit PDF ReaderFoxit Software Inc.FoxitPDFReader.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=1132BC30E14F785DC94B0968B316920E,SHA256=A8A2AC478388A25808F3AA578B7F62767F0CEE3B35D6C82422EAA3A5AD4050B8,IMPHASH=A6A5EE4AEE40744E22C729923B18481F{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.967{00000000-0000-0000-0000-000000000000}4560cws.connectedpdf.com0type: 5 cws-site-1191008954.us-east-1.elb.amazonaws.com;::ffff:34.236.114.25;::ffff:34.226.74.2;<unknown process> 22542200x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.803{00000000-0000-0000-0000-000000000000}6408globe-pis.foxitservice.com0type: 5 k8s-clientac-clientac-1bea27c063-867794477.us-east-1.elb.amazonaws.com;::ffff:54.162.170.221;::ffff:54.236.68.254;::ffff:52.87.5.71;<unknown process> 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.595{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DB58ADD3315E28AC3483AEB017076C,SHA256=B348D29ACD3FDAE3778A451A71406EE97DE542659D90DB49E9AF343F985E1035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-037MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.715{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50269- 23542300x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.162{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=240090DD77299EA2189985BF52B7CD70,SHA256=86BAD4C9C87B852AD623294BF8A4D5707D9B1F2123D15EB91D7A347E2DEACAE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.825{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C2565BA7D259D4A8C956859650D0F0,SHA256=FA7BDBD7F1B7592816E3C2DA8747B27234E27C26FE926E71887CA94F39803F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:39.076{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFF9A4D70A38044B7D7D0F2A91B928,SHA256=10048C1C3DFA67D732EA43295F6CA806FCD268E7679D4351897759AE005FB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.400{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe 354300x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.970{00000000-0000-0000-0000-000000000000}4560<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56213-false34.236.114.25ec2-34-236-114-25.compute-1.amazonaws.com443https 354300x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.953{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60684- 354300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.907{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56212-false192.124.249.36cloudproxy10036.sucuri.net80http 354300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.893{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61105- 354300x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.808{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56211-false54.162.170.221ec2-54-162-170-221.compute-1.amazonaws.com443https 354300x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.740{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50269- 23542300x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.381{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpMD5=C2468392C1A47E60B40C378318CA142F,SHA256=A20A0540CC72D9EEEAFD60680D5A75C56EEEB6483BE995044DF7FECDFEF30CC1,IMPHASH=F62B90E31ECA404F228FCF7068B00F31truefalse - insufficient disk space 534500x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp 23542300x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\_isetup\_setup64.tmpMD5=E4211D6D009757C078A9FAC7FF4F03D4,SHA256=388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95,IMPHASH=F672CB51B1362B8101CC947887B02F34truefalse - insufficient disk space 23542300x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.350{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\FXCUSTOM.dllMD5=ACBE87ED13E8A2448D4E47AEA9923958,SHA256=CA843F1F5F4CB38A945C9865CC5C17F287480C1123C5F6B0D5985472A94B77AE,IMPHASH=EF29A0B6FB2AA8EC42138938AE12510Atruefalse - insufficient disk space 23542300x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\error.bmpMD5=C5501CB29AFC1204C0D363D3B292C409,SHA256=EBEECE634EF25DC5678681F81345683FF9103F7E5F085CEEE1424E50AD8EC537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exeMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FADtruefalse - insufficient disk space 10341000x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.062{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913C6FCFD77FC58D71A01CF381B8BAF0,SHA256=D514E71D605AAE420F39D67EC1506B770E052105C653DCB12CEBE9235C24040A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginInkSign\FriendlyNameInk Sign 13241300x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSmartRedact\FriendlyNameFoxitSmartRedact 13241300x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageformat\FriendlyNamePageFormat 13241300x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPDFOptimizer\FriendlyNamePDFOptimizer 13241300x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPortfolio\FriendlyNamePortfolio 13241300x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocProcess\FriendlyNameDocProcess 13241300x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageOrganizer\FriendlyNamePageOrganizer 13241300x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSign\FriendlyNameFoxit Sign 13241300x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXExport\FriendlyNameFXExport 13241300x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCReview\FriendlyNamecReview 13241300x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCrossReferenceLinks\FriendlyNameCrossReferenceLinks 13241300x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSignature\FriendlyNameSignature 13241300x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOCRRecognition\FriendlyNameOCRRecognition 13241300x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginRuler\FriendlyNameRuler 13241300x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLayerPanelTool\FriendlyNameLayerPanelTool 13241300x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNamedPosition\FriendlyNameNamedPosition 13241300x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEmail\FriendlyNameEmail 13241300x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSecurity\FriendlyNameSecurity 13241300x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLoupeTool\FriendlyNameLoupeTool 13241300x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\MarkanyDRM\FriendlyNameMarkanyDRM 13241300x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FasooDRM\FriendlyNameFasooDRM 13241300x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.931{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginU3DBrowser\FriendlyNameU3DBrowser 13241300x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginAIPLabel\FriendlyNameAIPLabel Integration 13241300x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXTranslator\FriendlyNameFoxitInnerPluginFXTranslator 13241300x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitTool\FriendlyNameFoxitInnerPluginFoxitTool 13241300x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginMenuBall\FriendlyNameMenuBall 23542300x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.926{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1DEF2661F8985D774AA6412B4070EB,SHA256=C4C403BD3CF09189471017AACB16FA8F9056B14C381FD731A52B3B96A6E5CC5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:40.169{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2416FB7436589C2F247567DD56B932A,SHA256=8F5B7ADDDF84607961E00F03BD1C0E3701D7737DD532204FC7544911F93118F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.150{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 23542300x800000000000000015029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:41.262{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DFFE98A62FBBF712A5AE1F2D6AE151,SHA256=2BDB4A78F2C74833F76C334DA7EB4A2CFB246B59A8333460967E206B2672B75F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+130450(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Start\en-US\history\history.jsonMD5=C515A6B2834FD60FCC8A39BEC43AA234,SHA256=D3944D967B207D69414BA10D17309B1BA04515E36D3DA5655F9A7B469C029391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49251- 354300x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63759- 10341000x800000000000000015061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.692{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.652{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.629{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.617{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.580{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.568{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.548{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.376{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0395EA6AF4C0D7699F4E1DF75744508,SHA256=3D52A8C3438EF16E63CBFD38E716B151D586AED30532DA6473EF6127880E5D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:42.051{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6485705928237E656082113FC8BF9B27,SHA256=CC64B214B89216A67578B139EA0CE9D0F1F0192363E6055F69EC5D4DB9BA3060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:43.899{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD55CE03C32BC053E61BBE55408B68,SHA256=1497D8B18D95297DC620EC41B89199FF21C297DFF00C0BF509544F01C95E99CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.003{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56214-false10.0.1.12-8000- 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.068{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED46E5C6EEB4D07CE9EEE3477FA64C6,SHA256=CD33B309DFBE00BA2B0AA2861FBFFC3B3CE1D6222D571257DACEDE1191110427,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:44.932{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BF70CCFE018A3FCBAEBFFEE8A2DF70,SHA256=6DBC50D1AFB025C17B7446CA6A73DF31B82B7A73B91E7D41B68D055F90D5840F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.957{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exeC:\Users\ADMINI~1\AppData\Local\Temp\%%%11A4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.615{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=657835BC7C6159BEF57CFF59F6BB4523,SHA256=A542CDCEB06EEA89A94F03C926815AE53F6DA8704215EB033E8C7BCB1124689E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.459{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-E326-63C7-F905-00000000AF02}32606896C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.396{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe" -updater -type "Auto Updater" -hwnd 66498 -bnoshowtip -readerpath "C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\" -regpath "HKEY_CURRENT_USER\Software\Foxit Software\Foxit PDF Reader 12.0" -version "12.1.0.15250" -readerlang "en-US" -UpdateMode "1"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.386{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localEXE2023-01-18 12:16:44.331{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe2023-01-18 12:16:44.331 23542300x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.179{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD3444983C7F4E69301D0643DD9F2B3,SHA256=FB88EC6B06680229BA53F62D3F13F8091040D64250C7978189605F495FBF9B0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204E80A2F4588750C3A4F43FB8790212,SHA256=477F0DAFEFB2B010B51345DA7A18494353952D03124B8A6ADF8A91F5F635C110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA13304AAEB72731B29B2B6F5305CD37,SHA256=78C30DB9D5789F8232BC8D2CB5FE16A5EBA25AC1F590E9387149A2C1402A703D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.145{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64489- 354300x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.112{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64489- 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.613{FE4C2B44-E32D-63C7-FC05-00000000AF02}18441944C:\Windows\system32\conhost.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.521{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.496{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.495{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.494{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=BC27F57079DF8BF901D14291DC1B5CA2,SHA256=656C2679AD2E766A183D3FA74A796738348CB2B1C7F26822CA70EB0772E329FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+121c68|C:\Program Files\Mozilla Firefox\xul.dll+164f8d3|UNKNOWN(00000295DAA44B31) 154100x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.487{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1052e587-2eb3-4423-ae75-ebf8abca3a74/new-profile/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74 https://incoming.telemetry.mozilla.org/submit/telemetry/6f9e4b5a-cf53-4959-9c07-f023402ce9d4/event/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4 https://incoming.telemetry.mozilla.org/submit/telemetry/427643f4-4c37-40cb-b3ae-60b8792f9915/first-shutdown/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.484{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\aborted-session-pingMD5=56B91462F2DB1F0F3D753EDC179A8C11,SHA256=2283E17F2D8E031B2AE7ABB3900AF608BEEE8AABC17461A3B00370E3433BDEAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.398{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=071DA4A1729E7358276A3DD62A6D25B1,SHA256=A7C28E83F54C3AAC734158A45673484ECE0D72CBB2DF784B2588EBFEAAB0CEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.390{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=E06099DCEC9B3E656C52155D4F3C66F7,SHA256=4C17982EEAE0900151AFFEE836BA940E111F3F183466B8929427C8A488A1BF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.389{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D05CC57C001183075518A5E84D8C9459,SHA256=0BEC7DCACA9D36AE4A6ED7F7E7C0E7AE106B671AD392B870C25EE56627AC33F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.386{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.382{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-walMD5=A23787F00DB7FC0C15A54D8B68E69813,SHA256=9F1FCB43D403CAC53DF7AFB090771B95B5591E9E9E1441F774A4B172215D0462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.377{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=A76E2589039D24D9DC7FD862251DF429,SHA256=2ACA5EA4BD71CF8F3AA136F38510F547D51B2D27DC1F03ECE1C7B811FD565B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.370{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-walMD5=7F4B8CCCC5A28912620B8B7B99E2ED46,SHA256=731FDFE4DFB4F1C1D02545C8F0A736AD9E903469F5FDE805171B8702B195B203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.352{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-shmMD5=412F4E3C029A26346BF5027944CA1587,SHA256=A9087D7CB798FF00D8FC6E2672B7961D67B8876FDEEE5FD1A3635AE17DEA2F59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.345{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-walMD5=E6A2990F646213CBD61A5E27D355BAE4,SHA256=A221C803DD6EBDCBEC50B46B8158F2FCC6200D633213350532E692ADFED87AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.322{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-shmMD5=5D0FAE2D151B96F9939D868185F2A75C,SHA256=F908D8E6791B2DC7614379E6E35B7B90DBF72158FA46DF17B96BFE0F54684C11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.292{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AB-63C7-D205-00000000AF02}3104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAA9A18D) 23542300x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AA-63C7-D105-00000000AF02}1484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E292-63C7-C905-00000000AF02}1888C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.289{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F4-63C7-9D05-00000000AF02}7156C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 23542300x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.286{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.277{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=F3B2EAAA57083687AEB76A9707BD9287,SHA256=24C809E046728BF50604CB550F963C2434B387ECCDAA9A8ED2CDD539263C9406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.jsonlz4MD5=692E62AD3DCDE6ED553BD7CF7CDB762F,SHA256=E4D82CE85AC552151851353F62D2B6818F7DEA89452B2ECAA00B801CE0BCA78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.baklz4MD5=F4E8580C1E1A856E30384B5A8005CC6E,SHA256=6376F91E3C602B980CB7A2FED721C5A892A31588B98EC6F3084FA6022C13DD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.203{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E27B-63C7-C605-00000000AF02}6772C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E269-63C7-BF05-00000000AF02}6172C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAB639FC) 23542300x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=8DC12A38B7D5302A1E05EA9FD1267650,SHA256=37CFA0589B01ECE0E52E9B96ACFB8F2DF7D72F0163AB1215C8C05F90BC5C23E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=69433D4F64EBC4408D3CB52A96D9287B,SHA256=30ABBF26C4C08E9933BA0A62F9F15D0314754D68578D28599D62D61E27DB6081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFE2FDA8)|UNKNOWN(FFFFF3D9DFE2C7B5)|UNKNOWN(FFFFF3D9DFE15879)|UNKNOWN(FFFFF3D9DFE225B0)|UNKNOWN(FFFFF3D9DFE22189)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+1b84 10341000x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFE2CDE7)|UNKNOWN(FFFFF3D9DFE15779)|UNKNOWN(FFFFF3D9DFE153FB)|UNKNOWN(FFFFF3D9DFEBAE9F)|UNKNOWN(FFFFF3D9DFEAFD49)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.015{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe 10341000x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E56FCF010BFB73280BF96B94857417,SHA256=96BB67FAE7608EBA392F39C6AA83E8025320166AC15AC28B01558016E1E30DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.186{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220us-request.foxitservice.com0::ffff:64.62.208.12;<unknown process> 354300x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.699{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62874- 23542300x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.395{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915MD5=0102517284EF240C23C26CE76999DA5C,SHA256=A53425A276932C052B8E4E435D612881D86694A147D599A171262E7E054499D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.228{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4MD5=A745BE3F65570C038DF524725DA79080,SHA256=BC9D1ABF37289E7184186EE7AA688DE5793C39556EB62E8821D5C3FCEA9C6318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:46.014{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B443884409A662EEDC2FCDB314D766E4,SHA256=A12C00D8A4AA41136AFCFB7F25AC03DE9C88DF6A55865C69DEFB605FA80BA8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.118{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74MD5=8AB2EC9F1AF52D43342D7204BCDF4A67,SHA256=8836BAA0EC258A0F2BD5787ACCBB50F9DD69C66EF2064CD5411339D471161228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:47.279{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B4295D6BDC147BABF803696766A0EB,SHA256=1CE65D7B1B29425EED249ACB8BD25B388B06FFD79D1208A97E96B65DA763F4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.109{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DE5CF458575E5CF27CFB1C3F5BFB5,SHA256=9F9AF28AB69EB17A5386DD1147008B065B278CD3932139FCE4CBEE8EB94F7D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.236{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220<unknown process>ATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56215-false64.62.208.12-443https 354300x800000000000000015068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.036{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50034-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:48.208{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28F2041E168C4593A826C70FF3F132,SHA256=17FC4599B128885D5CD976D3385BD5D1557AF10B7B7D2C0DA0ED0964A711C7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.749{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64912- 354300x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.702{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56217-false10.0.1.12-8000- 354300x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.477{00000000-0000-0000-0000-000000000000}6996<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56216-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.358{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CA3E34E48BAF6E8852FAEF27945A1,SHA256=173A4E9949F2C75E47313A7F03EE36C197269DC906E85D8C33AC8830D650A3E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.136{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:49.302{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D250D78BAA5CB8435361473018D6E56F,SHA256=29FB46D82ABC2B926ACE32C75C1AA16C2910E2A3F6D776D1BE460602F164238E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.774{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64912- 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:49.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E5E7B5DE2638D2E144BD916E5E10F5,SHA256=0DD598EE3190F3AED92ACC24079834609E2A3F8C2F20F4052FF5DE374E0BA00D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:50.397{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A199904295C893A775DF2892203E91,SHA256=49F14927DDFFC58F0435FE0E8E4AA1E9B751AC55EF51ACD84CDB937AE427199A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000015071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:51.481{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06056057B221E517425E0F19C798B9A4,SHA256=0B56C386EC66AF90B8879BA2170BF5F1A994E09419623373F5EEB3162B4CCBD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.928{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.927{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.822{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-E333-63C7-FF05-00000000AF02}61883596C:\Windows\system32\conhost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.612{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66D76EF7A91D7525F87EBD735AB210,SHA256=A17F6DC9BC4F32187B5509FD11CBD4BCCDFFF6DCCB24410A7B375F781A21B2A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.866{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56218-false184.105.214.144-443https 354300x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.802{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60488- 23542300x800000000000000015072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.563{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1FC3F3DBFF72F56850E40D3C279D12,SHA256=F5055CA9080C032428328F60CB77FCE5C3C0EF51A88C77E9325F5DA557847542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.815{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5F9AAE3D2132666B32EF4A6D1B0CD,SHA256=FF68F73E404A797066C0752DC7B506B39DD0E20DDC48D2F23FDD2970E0B69105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.814{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51072CAC7837CF5EB024D57013DACECD,SHA256=DF9D3E8206ED497B8D3252F4DC038B0E15FB6775A57666C11385434EC69D3858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\BinProductVersion0.0.0.0 13241300x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LinkDate04/06/2016 14:39:05 13241300x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\Publisher(Empty) 13241300x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\unins000.exe 13241300x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\BinProductVersion12.0.0.12354 13241300x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LinkDate05/20/2022 14:55:49 13241300x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\Publisherfoxit software inc. 13241300x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\trackreview.exe 13241300x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\BinProductVersion12.0.0.1203 13241300x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LinkDate05/20/2022 15:07:56 13241300x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\Publisherfoxit corporation 13241300x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\sendcrashreport.exe 13241300x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\BinProductVersion(Empty) 13241300x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LinkDate05/11/2022 10:00:58 13241300x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\Publisher(Empty) 13241300x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\plugins\pdf3d\od3dpdfconvertor.exe 13241300x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\BinProductVersion12.1.0.15192 13241300x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LinkDate11/28/2022 06:56:16 13241300x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\Publisherfoxit corporation 13241300x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitupdater.exe 13241300x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\BinProductVersion12.1.0.902 13241300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LinkDate11/28/2022 10:04:13 13241300x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\Publisherfoxit corporation 13241300x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\shell extensions\foxitpreviewhost.exe 13241300x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\BinProductVersion1.0.0.1 13241300x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LinkDate05/20/2022 15:12:12 13241300x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\Publisherfoxit software inc. 13241300x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreaderupdateservice.exe 13241300x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\BinProductVersion12.1.0.15250 13241300x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LinkDate12/05/2022 10:40:21 13241300x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\Publisherfoxit software inc. 13241300x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreader.exe 13241300x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\BinProductVersion12.1.0.0 13241300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LinkDate11/24/2022 09:06:20 13241300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\Publisherfoxit software inc. 13241300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfcef.exe 13241300x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\BinProductVersion1.0.8.1228 13241300x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LinkDate05/20/2022 15:01:43 13241300x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\Publisherfoxit software inc. 13241300x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\64bitmailagent.exe 13241300x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplication\000051e80f0bed177961040f6171bd1efa830000ffff\PublisherFoxit Software Inc. 10341000x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.385{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.382{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 22542200x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.816{FE4C2B44-E326-63C7-F905-00000000AF02}3260startpage.foxitsoftware.com0::ffff:184.105.214.144;::ffff:184.105.214.143;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 354300x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.706{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56219-false10.0.1.12-8000- 10341000x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.300{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000015073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:53.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6A3A665246A2669E7F4B68720082DC,SHA256=A86E7938841DF6942EFA9F1534A6D335E10C31BD44D4002535C587494874B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:53.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B3F853EB908C3187DAC594B70A5453,SHA256=76CE746E5F37D2C6649AA5F354C3F441DC896D3C51376E8A852C342C5E5E4A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:54.745{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21FF24D8131016F4216D554647750A9,SHA256=5F718D60E6DB785DBC7E6A408D4CDE9450ADF6B2DABB516FC34B486320706623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.980{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.979{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.978{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.977{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.976{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.975{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.974{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.966{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000015074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.043{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50035-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.909{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.818{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=258FD40AB29D7BD8E104D606EA216AD9,SHA256=504E0D0E090A0B6F07B0A723136B8AEF9F01AA22CFE9E01E91EFE79A68F1538D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BB31CA60CF13AB52C2B01A783CD692E5,SHA256=028C27FB4CB230728191CC6724BAA0A23113308544F8FACBB78D38FCDF5C120E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.364{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.172{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:55.858{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACD18CBA13F7AA0D0086C8F5577C64A,SHA256=3E9B8E2EF44196CBA08949C933800F5355EFFC775C19F730A886EF1D2C6A981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.128{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.050{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.034{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:56.953{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C19CA7BD7D2FA375776369610623E4,SHA256=8C8514832B60CC29E4BB761CEA22A24DE7F09C9A69189AC12CE90FCB98BB56A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.003{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305C3160AFCD3BE36A40CDE08A0900F4,SHA256=E1D7C975F6CA1C30E4EF9B8F2ACCD3A57DE7CFAFA9BB0D51181F2CEF1936871C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:57.086{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D213408D3709DA990C99D0E40D068F,SHA256=61977A472845966220B5EAA5327B7C4C340EF90290AD6B2ADC774B5D5A6AC3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.654{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56221-false10.0.1.12-8000- 23542300x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:58.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FD09DFFA991E4618DE4C8AA7720376,SHA256=EFEC4FCCFC53760D7EF1CC18C2A0DB7F383637F78C27EBC0385D9DC6CAE80B6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:58.047{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C87870F15179A1FBF9F996BD1DCDD5D,SHA256=C78E533EA965AF9D9F87DDDE5F62E2B220B2AA65F989A1C851AF1DFF1A10099C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:59.258{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A27B01869B925E80433C2DA9F2D674,SHA256=44FB13D16B1B65CD9CABADE99D8A543F6D3FC90BBD0981B148264C3D9B0DA217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:57.974{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:59.144{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E836AA4898C4291340EAB74D3921A5,SHA256=14391891117D71323304EB611DF43214846E8B3CC82C326694C05A72021E9CF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.426{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C6EB18D154C15A9ED0650867DAC06EB2,SHA256=1E444FD06C160D57253A0AC6D72AD20932FCA663D0C2240731F403C944F7A23E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.332{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34598DFD6D481F3D0B68D8A628C88FB,SHA256=8C19C07816D894A6F6F88F8A6A5C898829EFDE80522E02E5346D27E18D9CC74A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.934{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2AD7889BB42D940CE29348848EA97A9F,SHA256=5DAE8CDA0FC55A83CF9F652D8897B07BDBECCE04F9C5469CF42F5D50BF8E4FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.224{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E208B5344057493C5D6F2951FEB1A259,SHA256=3A2922BBB1268310397FB0B87B44D17FDF356ACD5F01F685651F8508BD7F303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.783{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BBC4FB0EF380D1FC2C893A40A08568,SHA256=317F64AB78ED67A7CE803A1CA5A2B19B3AD030477B3CFF1A1EFCC8E4BA2E0285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.401{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5DEFC9D22F0CAE64193DBB54D30BECBA,SHA256=F357A07A8C873A10062DC9D43FCD3998EB67BAAB0F7C4CA1D3EE90CE47A7F655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=FA72170AA2DDBEF80E2E6565EB4401C1,SHA256=3385FADBDF5CB928EB7049B54A865D5DB3695E98914FFE9BF4FDE9EA6D039A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AEDB57ABDC32AD7869684E162401FEE7,SHA256=4B3CE250F83984DB09E8995E601159ED97F31F2062A32644AA021B2D06A2CDF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.370{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2B1FF1B61139A3BCE42A6FB0326558A1,SHA256=0ADA21EE6F5155BD00820959A82030814D7C472D00689D9E20B9BEB4C8FE03DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.831{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-028MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.309{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E4DF8F0A4A6CDF93B3E3F45EDCA1E7,SHA256=4995279B9A857221457B0275ED5E5EE9DF37D1AB51B17EC44BF7147126A56116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D3C30A1BF2CFDB5EC6D2940125B16C0F,SHA256=9E05FB7BE9E00C74D38273AA8748AD6E78B2999626D5A79A4D704365270A22AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=C70088275245A7C3D68E85B6BAF8A41B,SHA256=BCA4727E5B0CDBB8DE78CB3138D15D5BBCBFECD83D8E01AFFB3790B6FB76563E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.260{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5A74691BB2D63F99E2613172A6752D7C,SHA256=C10BD055921B31D7678E10BE917609EDA9FD5095F13F0F1D885F94764971A875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.780{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63763- 23542300x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A729AE8E2EBC87DE697B5D231EC826B,SHA256=2CDFB477138CB97662EAB699F03AA4497A6A009F90A3395F43791A215F963C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.833{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.741{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.717{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.708{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.705{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.672{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.663{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.641{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.597{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.588{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.570{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.560{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.539{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000015085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.373{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64E18057F2F44853E4C4A5FD0CE0900,SHA256=31D036074A83E85ADA061E51B3614C01A9450F5844ADB5D7BC096465D07C6AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.951{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.701{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D1C1340B5CB08C7982EB40B7FC8175,SHA256=286D53C6A8FB059EF3C273125D638DB668AC39F8096A20AE08D58CF7C427B793,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:03.634{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:03.568{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BABED665C643A44EC461DF128DE0166,SHA256=C3DADB8797D9007F5C52B90F06143272EF67AF67E0DAA37E9A98E82B8E2A7F1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.899{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56223-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net80http 354300x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.798{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56222-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net443https 22542200x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.808{FE4C2B44-E326-63C7-F905-00000000AF02}3260ad.foxitsoftware.com0type: 5 d3p6bpyaguxd3a.cloudfront.net;::ffff:108.156.184.126;::ffff:108.156.184.54;::ffff:108.156.184.78;::ffff:108.156.184.105;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 23542300x800000000000000015120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:04.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D28A4F18A69692F26948C79671E46D6,SHA256=6940C05E53E39FEC6AA0C804C79CD1E0ACB1B87CAC9E2115B940EE854D56145B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.878{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3284BC6935A63B6531C15860AE1D2125,SHA256=F40C17FB511D18DEDCA8802045074E9A1C338592430CAFAEFBB53C122AB2C417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.651{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56224-false10.0.1.12-8000- 23542300x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:05.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325BF570CAD2C19627AA9EE86E53DD5A,SHA256=5BB66EA7CAA0A968BFC62F7A9DAC8E734D1A2289AB14BE364A8A97B899649324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.815{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50037-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.902{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51264- 23542300x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:06.778{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A042C2BAD150D48AAABA64B41E3D4B12,SHA256=CD3B979493B83503D186811D5CF4F40B3BA2322A20DB874F46FB5413D204E8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.910{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50038-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:06.083{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69033AE79DB51F53610CF7DF9FE7A205,SHA256=C6549623FB2A64808846454567D268EC6C6F1D02797DF2F06C7BD56AE4860C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:07.858{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FE78951806FA86F6A7D05C1297CD87,SHA256=71B7F25BD221C3195120E0A61749D326C94E7FF370E36363120B305827E67DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:07.173{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FFE98038EFC7B1D086D7E4799005FF,SHA256=0142E641F889711D6602A826F0BF84E1EF5AA101D609698A8BFCDEFB20FC8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.953{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A1C9A9C9BC0DC96D660D54ED2BB363,SHA256=F8F82CDB15F2E1496E1E66C95E290B7DA7F2F2DD945B742C62965ABE7FD223CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6F39EDED31F95CE551C899CEB0BB7E,SHA256=6D9A6A12896C2759552DEA4E1B2A88A47987A1C956B6FBE9FEE3B827298C6687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:09.349{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5A915FC1188C1EF06FBA6D6A9468CE,SHA256=77E7A8021854878A1C8DCF57F6FBB5C0E322B12B857795DC99A87292CDB1B0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:10.437{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D0272872E4510F421BF4ADC8DC607,SHA256=8E04E80163C166E950DD6CD63DFE80B324F8D7416638CBC7D1500733276590A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.638{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56225-false10.0.1.12-8000- 23542300x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:10.021{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7D910B94DF1D0FAD2239003CE7668F,SHA256=A9D7651CCB1106E0B8F76B23408396443B544CFEB9AE60C96475A2ADB898FF99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:11.513{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8043F04902BBE54544682C37CC7F7DB,SHA256=7B768C59C9A631D8EEDEF3DEB5FB2E09FDC9391505E0BEEE8EA84AE0D103E527,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.919{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 1034