23542300x8000000000000000320271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.591{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A621B8FAD832764B794B8E91043F993,SHA256=CA62C8E5D89362086534735B3AC31C9FB599BDA52534E770D2AA158D64F50BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.410{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023EAC74833A625AD1FF676654E00E1,SHA256=7F7702B9A401BCBE13BE0B60F432BDCCCBF33CBA05F6B0BFFA037951AAE6EFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.008{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.238{45AAC21C-B353-63D3-A903-00000000BC02}60483292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.062{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.014{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49E038AC08E30C91BED56E8D4CE64EDA,SHA256=D9CF0DD7C6BF58C748AC98C7B30FBF0AD19F46182F032A12A6A7F2D67A522CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:48.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4F082969EAD567A2D61BAFB31615,SHA256=3400367DAE731A6AB70E62A4676F25BD706C4C6AC78D8363BFA0EC977BC40BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:44.707{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.501{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B987C5074B18BB08197DCC4C8C3FA7,SHA256=750174A362ED86C94FCAA64F39778D3A745A57B47685FD341A11F164B529A4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.080{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DEA663624D00EA97EE6E1820AFA363,SHA256=B6C036D089F2F489341C2D28819A1A3F2345CACC7C51C028B4A1F86E911F1BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:49.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18E65A5359D32DA150C7B1F1E093D7D,SHA256=0150794E3C51A7BC1EF13C4D2E8BC1772C2668DF54D3553CA57D2E9F811A7A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.922{45AAC21C-B355-63D3-AB03-00000000BC02}42125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.720{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51C12ABE99C8E1D12ECF2650E195465,SHA256=046E99F748FE0399CC2839429093883ACA7EFFF31F4B8BF055558D4F148F2435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:46.294{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50921-false10.0.1.12-8000- 10341000x8000000000000000446597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.380{45AAC21C-B355-63D3-AA03-00000000BC02}24284872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.190{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:50.990{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45B7EF8698BF101EDDF9BBF548307C,SHA256=41E6E195FAA5CD48DB1B83D6A9C406F2B84A19B801BF8CCBD0F42A57176B7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.676{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544352C22D8C5ACD396C58D4AA1AF4A5,SHA256=AD57D1425138AA3C4C69DAF113FB1F1147B714AC033AD811FCC928AAB7E94D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.558{45AAC21C-B356-63D3-AC03-00000000BC02}26242476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.348{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021F65E070621DF26671610B5746422A,SHA256=1A0C27892C4D8B5523844ADE7C7DC77A145F593F1B5D50FF8BD2DA4273CB0131,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.765{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.887{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA218BC0F77EA73D2FED573FA777FB77,SHA256=0AE3EB12AD8C58A7319D078E062A28AFDB8601DD77B00DE1507C029B2DF97A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.871{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE60FEBB0F67C1FD440190B8379B0AF,SHA256=045AB78164686D9184CA170FFA8E92B27E759CE2E37CC675906F12B4A40AE0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:52.189{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C35B21B785C3FAE91C1C74F82C69D8,SHA256=0CE5A22F6A5D713A390663FD2E144CB83944578634E629700EEA71AB12AFF4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:53.953{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9A8C183C267EB3A824BAED154BF0F2,SHA256=81150A142DD4D263210E3F9CA2FB07517DD5C650F8D9DABA6F043B73D286A11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.932{72106695-B359-63D3-9303-00000000BD02}54366036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.267{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF59E0EFC33F1405B067824FFC6CC7,SHA256=9392D22C9E2A676A28D1CB98D1167EDF680DEB48C5C249784F7AB19BB1F63345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:51.299{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50922-false10.0.1.12-8000- 10341000x8000000000000000320305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.813{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2288417BB9988ECE2255FD1A9E8FD5,SHA256=9DD96A86AD2DCF0ED036EBA1D6042DC442980C40AABD904AF152FA1385E859C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.578{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=72A1A06454ECCBA4A9F8B6FFA072B9B1,SHA256=0D4B0B64C04D9B7FABA8BE3D42FE3DDF20F3F9C392A05DC5A856F25CB5BD8F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.356{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344CE91AC907E2DF781E2102B1FF895,SHA256=16417B8417B585AAD35985AB3901FABA405DB9DB7A6923473843075A5A2A0EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.844{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.139{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.953{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.515{72106695-B35B-63D3-9603-00000000BD02}56885412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.456{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4363C020AA16C43286C8B2FA7EB1A58,SHA256=AEE286FAE4ED1781C7A8155D766C5E3EA169CBB637F1DC8BE3915679FAC8C748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.057{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912D4B7651B5E558B837AE0BFC11EA0E,SHA256=D636B4EDC329EC0C2EB74172D264FC7EDB710E9195DA56FF77A7C3286632B4C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.316{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.764{72106695-B35C-63D3-9803-00000000BD02}15525404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.576{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.572{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.536{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D626B972B58A57ED56DF5E4ACBCE26,SHA256=87AE8B86D9885391F461A57698A3A1FE8A7920135F564FC27CBA448F384465A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:56.152{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844036460BB11AC88B00E8A5D489382,SHA256=F0FEBC53D896773850681361DD5E44A6634DE3EB81B0E4494B27DF4274042BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.143{72106695-B35B-63D3-9703-00000000BD02}18563160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.731{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD65C2EB810E79DD89FD3B8A7FA514,SHA256=E2F48613E1B967A15D1F743946B6F5656A5C4898447CBBBD80BA8071E449449B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:57.238{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C181F66862CFA7F86EE4D0E2A3DF5565,SHA256=391DF69A3261BC900EF190D3D620B7ACEC4F402AA6E5892ABF853780ACF2FDB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.125{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.822{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F923ABC6AADC550184E088715CE7A75,SHA256=E28F91A7A25DE60CF8D30957E4D3FC1280FF724ACED23F658D3B09E72CD5E077,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.520{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50923-false10.0.1.12-8000- 23542300x8000000000000000446635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:58.311{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B6B434E97602DEE9B79C461EF27D72,SHA256=81D42A3A0789D69D4274E38356C3338EF8A80E37145D0A155C6A1D2D4A40C1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.453{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=975A04F65D3768A74817E995DB334013,SHA256=7B19DC295CD51EBFE4779AAB375AD4500ED6CA1957D4568032C8F9E6E7528A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.768{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:59.918{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19E9F10A313B9FC032AA72C9801C78,SHA256=DF7538E95DE4EC8FBC8A5FF80064B2A90F0BDD403FBE3D3435ACC2996354D359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.532{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.496{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.414{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.403{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.393{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809AC2930A49C97F440A7447ABAF52F3,SHA256=48FBED29F86C35F5D02F971712435C07E3C5161EAF0FFEB4FC31A24AF6822F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.425{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369729BB0FAEF8F39C3F0102C559E9D4,SHA256=CA5583426D7107B0500A8BA64A973252F53E8B8A3D8B5ACF4A56ED7070E47E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.754{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.739{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.737{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.696{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.685{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.666{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.660{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.658{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.655{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.642{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.640{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.635{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.625{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.619{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.610{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.607{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.560{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.554{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.536{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.470{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.455{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.432{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.414{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.381{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.375{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.366{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.350{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.336{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.325{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000320349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.323{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90) 10341000x8000000000000000446660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.109{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.104{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.102{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.503{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914A25976215888BE772BBA02E50509,SHA256=41EB8D549237BA3B30F676A89678D0F6FCC33ED1DA3505BCC644B6925A13BA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:01.159{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF0CEC9F1E39B711B85338CE43941C,SHA256=CA77D3C09404D1D32B7E3740FD3690D3CBA4BE8B2008ACF037505ECAD3E4DDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.791{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.724{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.714{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.698{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.695{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.693{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.691{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.689{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77697FD3EAD7EC6D7AB80AD51A954050,SHA256=33C0C49692860CD30B72FC935A34936DF6FB00B3672AB7ED910C1666A1DE4F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBBBC1077461D1147C051F5145626F,SHA256=CE245D9400821905FA30E301F92458FAA7C0F4A4168E0808A218FB77B0201AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.182{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.167{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 10341000x8000000000000000446663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.157{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90) 23542300x8000000000000000446683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:03.786{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDDF6CE945761C6CDDE99348EB3B62,SHA256=E5BE8931F5439B6AC75722D4B4B3B0484CF0BA8F9F31EFAFB2E38FD6E73645B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:03.377{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAE62C2D587899173D18BD06A6CBF0B,SHA256=85AB44A2EE3C1CFC8D8A171C3F57690F9C7C205CAE3D315606991A835883D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8FB7C775C27EBFA925E443936B16F,SHA256=74EC877D7A5B6E664B1199DC60C146A05A5D1E765426020C804ED5B631D0F862,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50924-false10.0.1.12-8000- 10341000x8000000000000000320390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.728{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AD5B64C89D843E32477BE313F40491,SHA256=BF250D13C2F5AFEA21F26CE08359FE4920CF78A8BAEEBBC3E2ECCD43AE223186,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.742{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.113{45AAC21C-9B96-63D3-2E00-00000000BC02}2804NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_C64_5811_6457_FFBE\fsr00007.logMD5=AF4D225B60B65DEA33EF59F92EBCFC6A,SHA256=3FE807AB4B2509D9D058FC62DBB74CDEE8B5C3A1A66265522AF542733FAAA3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.004{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-098MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:05.575{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21325CC461ECBD7F1B42A80F166B159C,SHA256=23B91CC7D5A3CDE9933F1BC1EBCA065F62161716AA19047FD3A21A7AF5517F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:05.002{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.662{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8265681E334A63291C331EE4F28092C,SHA256=F5B79387570EEC18A4F08B9A74857237ED6842A057342C1335C55846220FCC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.082{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A7769EDE96FE7660080724390790B,SHA256=88C637D3854829779105BD58890111D0404EFD13863148F1AF6F0929C04DC439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:07.183{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8564C3AFF641AA446AF32BF3A20C371,SHA256=5BDB8ACE6D1CB827F2750BF5F845289563A5DCCC62132117A97A7045EA5CEBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:08.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A81FF8AB1071BDEAD4056D62ED7BB,SHA256=E6A4E4245D747D798CCE697F0A22374CEF2BE3FBE946DCD992CC0ED610617CFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.764{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:09.350{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E922C80D1CF4A2355D447E23FCCC4E,SHA256=84DB221F8B0D28E0667D123318F0E25F21699F7726657EAE26C1954EF5F5B074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:10.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E513B27BA5FF0D69AA099315387FF6A0,SHA256=4781856ACD93C760FAC7CF4D3F37BCD9C820BBF78202D7408F0A0BB6DDE21FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:11.550{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9466F704BA96F37B3F33D5727FE08360,SHA256=FDE9557173C0F01FA8FF07FBF94909F4EA5C8434A24FA7D7523AC3A56A143F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:08.288{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50925-false10.0.1.12-8000- 23542300x8000000000000000446696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.772{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9809CD800390A5833B300E23FEEA8F,SHA256=F5CDB888688E31B2B544552766010583F8D0DE861A77FFCB33F95D4AA659D6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:12.212{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D997E1000D3C66CAC338D026C922815F,SHA256=E33371C747D54570379AE7C805B15721EB430C6CB14F005DDF22FA6C83299DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:13.972{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA2179D21707514B31A80B8E43BF2B1,SHA256=314A7533AFA181185755CD281DE0945D5ACB2A5FDFB0379F6F6B29E6F5CECEFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:13.294{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B58ED8A256B6E3D7B7DDC87B50B1B75,SHA256=1196F0725795CCBC55BF0B461DA7FE557B74882EAC78200A22ECA88426D7B51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.988{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38BB658FE45C9E1285EA9DA5714AAF94,SHA256=37FEF2E395189EFE806ED416C8AA81943A45D441E2307E6BCFC4E3F63A118AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.497{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF834B56BB8FAAC6DE3E0392A2B38,SHA256=F0D757CEEC755C7DC4AB94C7952EF5D4D674DA2E0C37490D7BA45FAD117C9579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:15.597{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F5C80A597C245A5C92EDD52469F81,SHA256=7516D294C77AA3BD1F38B76A9482A07B47E3C5F2C3A91970DBA338E9D888BC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.749{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:15.073{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D73BD1420EC1CCF1D0C06B41C6D90,SHA256=860D554570293B1025560A12EB3D3200E6C645DE79C4020939700C01277193E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:16.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697C2FA9065013EAFE0A5534AAFE673,SHA256=8ACCBFB169BB17FFD3488669E1999A9D0EFC273F49307648AF0B7A4E80E313E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148A156B8CDB6FED0B9C965AAE11B4DE,SHA256=80C39602CE011E89E03790653D17EAF96AF95AEC67AF664765DC01284167D348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.171{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E30F81A702F02EE3C1436A2BB3747475,SHA256=32488F6914C24F6982BD5C36FB6C181CAA1DF0CD20B639087CF649E9B91310B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.881{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589BA203A9B9DA662AFCC50702DE95E,SHA256=E05AAC730F3ED670B425FF57C04D5D59C4441BE6414B8E694C87DE192F2D4D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C158F6B532AF7D01E63C5499D4D5F8,SHA256=10B5C519619CBC34A2EA01DE0966592A1BD57E4FC8AA5855444C770978F91346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.236{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=25928559D4423478D19F40F1766D0278,SHA256=23348DDF1B9FDA908ED7F7B7FA37042469FCDCC0600919827A3BA0B546E06B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.301{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50926-false10.0.1.12-8000- 23542300x8000000000000000320433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:18.963{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CE1784E06077BEAEAFFFFE0933487,SHA256=B6AC6D87FE8C770A1F40DA86A7F0D329ACAF037A9F19B26C78518470AB18CA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:18.355{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0299BE4F53DB9885959DF4CA8BA469,SHA256=180C7D18F41B34C7867C9484922F859D99D612C0BEC2C5681923FC35B6EA95DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.662{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.640{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.637{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.635{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.569{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.526{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.516{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.440{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99BF484FECC762A344E47BF9C45F72,SHA256=B2644C8E0DC75B0BC74C920CE0DEEC17932181207CFA76F57C8D768E2F892810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.306{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000320471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.981{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.947{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.940{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.872{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.860{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.826{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.806{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.801{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.793{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.788{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.783{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.773{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.769{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.761{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.758{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.754{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.749{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.735{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.708{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.697{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.686{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.683{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.669{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.642{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.637{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.621{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.559{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.548{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.530{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.516{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.485{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.456{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.410{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.383{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.372{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x8000000000000000320436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.351{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.341{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.292{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF3B4307B3F9DF7A98DACD8BB44CAB7,SHA256=9814CD77D3AAB1E5E8F763234200A07CA4588832AD7441FC9EBC76620BFF1ED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.458{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FFECA826B6DAACF9BC4DF4B23E9A8,SHA256=ACD93D3F09E5F57E03FC39CD2FA77FB2F7AFB9F11D9840A116A0E754B3C2D0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.402{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:21.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167133BD4097A67DD5A1BA0EC21EF1A,SHA256=0FE05383A4C89417455BBAE1E676833BE4466A4F4C9A2D6510335290DA407721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:21.455{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070AE7B0C375FC2DD63B5A39500DE660,SHA256=E10234872A05137FBE563D3009074F7D9BF70ADE1C541416E4C6EA92E9B0E766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:22.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB100E5C4CC3A64A3E10598E01E57D,SHA256=9A36B8B9EEC745A37DD0A683951CE24CB4D0480F19F9BEAF0BA07ECCC1239549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.994{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.978{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.967{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.964{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.963{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.960{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.537{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF2F00747C65A0DE28F8A0BA9DEC591,SHA256=A1B530D4D927B0F7DB94A44D7D836317A2DAF0A5669CC32AC3D5F21C9D9B847B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.297{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50927-false10.0.1.12-8000- 10341000x8000000000000000446737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.624{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041F866AE72EBE71FC1DDCEE7F5955C3,SHA256=46768719E538F2FF28E7F85E4E310086F226315586D0572AD9A1697EFB42CE1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.048{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.043{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.034{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.021{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:24.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5149845FCDA86CC30FD41E5C515B23,SHA256=A81C780D1C2DF3A3915DC4592ABBCB0BA0F671D1ED405BBB852E18CA3CF8333B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:24.063{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B8334773C8B2C23BEAA0865E2A2B5,SHA256=457BDCEF088E0C5DCD23E6824B3777AE85ACF40A9DCDB24AE01D50FD4F3C3748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:25.821{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185778E62DC01D6FAFAA339F73F0F172,SHA256=29817013BDF70C1406C4E1FC29D580B10C3F8C8944F8730623C85D97994AF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.166{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273F29BA69DF537AE328418F8D489F53,SHA256=353E19C93648070E7A1262439387A4683953D23B3907700C9DFB0BCDC883D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:26.272{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBC242640AA643BA55110CDD7DFA992,SHA256=2775E49D47F36A5550EE644C0AF15EA2C6EE578E201384DA36E2EFA62A5746C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.811{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.568{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D371484151D886A6ACBD93D6764528EC,SHA256=B837C371428EC780DEEB8B29C4311AA28BF01936B62435B9EB3FF41A0B96CE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.365{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF62233977A9AB38CD79C572FB21CA,SHA256=E4CA7411BB2E80ECDEDFAD79BDCE7E3CBA12D71A63784436EDC513382C3AF38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:27.022{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5388432452CD2823A8098381EA74622,SHA256=2AFAA8D4A8A2E0F1172CBC8AA94B55F750E1F56B4F6D1A8FF60B61781984F55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.346{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50928-false10.0.1.12-8000- 23542300x8000000000000000320484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:28.469{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012DE7CC1F704E0299FF8BA9B143A1D,SHA256=5FE772F986008AEE41EE048FC875E5CB6BFA3155EEB43F706CDEC2C5527095B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:28.329{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322E4AF7561D04AA447F12FBF594778F,SHA256=13B2220207780D5EE2EF72ECFA51752B8ADC04AF5360E49E214F742CD87D512E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:29.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4511EB127F2B21107892063983CB2FCB,SHA256=95FB90BF32D464425F1821798541795871D59802EC95122853BEB67D64BEDB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845243B512BD020D1F9D03DA2C843CEE,SHA256=EEB3615DF0096DB7A9A5977247536251D93E0E4109D0009C47C929FF4E49E9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:30.633{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FC20005AA9E78B2B085E899C9F9776,SHA256=F2B1122CD28225A8883108CB7DD8F8C07911A282F6B48A575C5909C231A09A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4056E579BEFFE78514372980C6743418,SHA256=4AFA19F43EE493F641C9FEE2FBDE0485D7E1BA55D681EB05462951F658B7DA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:31.762{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9EA80EFF591E32D7022CC40D12056A,SHA256=A98BBCD6AC7ED19630640EC7AB545A287A51CBBE12B40B32E51DF9FA73707BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34EAAD19544FA3D8FD83C30D63E148,SHA256=52F52C380B99DC81B33E010B697A876BEF2C09067F4C977C22058D1D9F035FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:32.972{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4056CC26C7816640C40735AEE4D4DBC,SHA256=673AFC48129EB5AD65CBD1D816D4488CE720529E01DCD5B3044C9DD93B46CA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C16E697FBA4F2265175A9DF2387EC3C,SHA256=BCF5993C99271B01B9A316DFC7A91A5C83888743D28500E1227CCC8A8A2FF448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50929-false10.0.1.12-8000- 354300x8000000000000000446763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.712{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:34.068{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391CC83E0E0EEFBA574010BB392CCF3A,SHA256=38B8F61070BAD51E53E7F5AFB8B2893CED17D7D9BC207498CB1D7AB9F9A975F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.066{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3E4CAF5D1FE25AB8E479CB31AD19D0,SHA256=0CC6C943F34ADEB736B2E0655BBE1B31E24F8399B31CF44D9A12A246E1284F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B4EC5BD6695FA92CF164849A4FB84,SHA256=C18832FD6BA099AC16293AA6282C0EA3E258943FE94F67B584034E0BABF32B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.120{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E99564E01E3F26A003DA70C9365B17,SHA256=568333C22FF091BB7C9F2016DF14C4EC3944DABAD30E1D7F8E9B0DBC24C49CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:36.258{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C1721AEBC953B14CD3809D4F23EFD,SHA256=4EA83FE52A1AD5988B8D51ABA9ADEE8D555A15109FC89DC4C428343CB082C2D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.750{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000446770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:36.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEBA81F63196920A5ACB21927C02CB5,SHA256=3B658500F689AB2807DF71F0049F079D126BAD2347A9606FC6801E2A1136F311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.511{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50930-false10.0.1.12-8000- 23542300x8000000000000000320494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:37.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1975795973E464A08EC6227D0116D5,SHA256=34811674FC5B03C0971623784792AF4A992BE50149B1CD85B069F7322EB508F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:37.300{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A267007CE075160D3E41171AFD5612D4,SHA256=3D39CED1AAF0C2B99A5539A367090C3310467F5416D365848A213B0C465D5BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local65358- 354300x8000000000000000446773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.344{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53380- 354300x8000000000000000446772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.343{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local59591- 23542300x8000000000000000320497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.755{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD533E7B19629F9ECCE3698CCEAD57D,SHA256=0723DD95B5307664CB4EDB1BEAABE960032665F1EB46D45A03A8D252E1FFC2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:38.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0965909D79DDD42587E6C264C9392982,SHA256=16D7E1CA0213733BDD4142840080627963A7639EE80242C034EECB0B8420FE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.793{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000446776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52025- 23542300x8000000000000000320498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:39.541{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E4301ED2BDFAE7D4E20A3350F6F9BE,SHA256=92B1CA082E5336EBD749F2D6B1DB5D68DEF303556C7074BEDB617D31F1B7E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.545{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.533{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.528{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.525{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.522{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.474{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.427{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.406{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.396{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.387{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.346{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8450BC877FFD3F7DB1D4F78E48288,SHA256=79525B30D4F6253F4050CEE1D594CEA4AB0B634E22B48C7005460EB2F61354E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.325{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.307{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.822{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.804{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.800{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.766{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.755{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.741{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.735{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.726{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.723{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.720{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.716{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.712{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.708{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000320524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.008{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50931-false10.0.1.12-8089- 10341000x8000000000000000320523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.698{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.693{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.685{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.679{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.666{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.639{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000320517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD573487E4D913CBF0F5FFB65AC95981,SHA256=23E6016CD9EC42072B958D94F67CF0EA529BD96DABD930A581D4D04F0103DF7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.621{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.599{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.594{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.576{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.558{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.555{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000446804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.376{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DDA029D90A577E02029DB0FCBB6DF5,SHA256=CF8135B2BFC28D60F0532E6705BE4AFAF019D06007F421EADDC404AF52674B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.540{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.473{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.462{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.447{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.430{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.402{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.389{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.374{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.359{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.344{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.335{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.330{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000446803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.156{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.153{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.150{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.145{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.142{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361354175A6E3A038FB5E1277A80CD3,SHA256=C12F6048AC7EE0705639248AA745778300C401F60AF93F8E57CB77122D3E0245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:41.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591BEFD8692BEB1DEA4E82A7BCAE1EFA,SHA256=526D4A4D0CFC0FE9CD377A415851BF4775FF2FB8F54FEFD43DE3A99A3D83DDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:42.925{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0245F09475B69352DFDB08447844A6,SHA256=BCF81BF25499942A32E5538CA356173849D452D4BB03D0CDF14AD460CACB4316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.815{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.796{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.793{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.783{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.769{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.746{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.740{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.729{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.724{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.722{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.719{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.714{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.709{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.553{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DFA7C9DF7E6B14DCBC89CE5D01B48C,SHA256=77936B9B2A9896548D199AB0FAF81BB66DDDBA389DF73A5CCF33738B2EBCF893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000446811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.827{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000446810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.201{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.200{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.199{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.186{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.178{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:43.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E4ECC0D7AA5FAABAED532EE61BC2B,SHA256=172493BE8D55D19E35247BCE7C71593959F7F94876F6595D9079B03D877CF585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:44.822{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598493BAB1FDBE09C0B2795FF7A1D231,SHA256=2ABE456EE696E5FE05B6BF205A9BD40708941BFB3E8460FDA1814C31597E1FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.499{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50932-false10.0.1.12-8000- 23542300x8000000000000000320540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:44.005{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A36F43ED4BE405D88E9B16B33F2CA,SHA256=A1CF59B244C0E65A6F49C392D1DDE6F0AB5A10D91246E49705A0A40C6475D4C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.958{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936C7119BAEDCD9167B697E58409E40,SHA256=13947095DD9FE2D0D15E9D06E8D0B251D9ABAC8491F802C4980DCAD6CD46DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:45.094{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F525FE941B05EAF8AF70FE4619EE76B,SHA256=785ACAC92AB870677D841CBE2482B5AE5681B8C6CC438DD1D9E6FF7FFF1A7D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:46.181{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC863D7CF5AFA4CCAC3C46B6BF3622F,SHA256=6F4FE8F9D5AAA1CC422121889123B81E79B2C772E4A8E72648F684DA666E8E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.631{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000446843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.170{45AAC21C-B38D-63D3-AE03-00000000BC02}48763008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=26C0E71D9551AECDF53DF6AE336BCC70,SHA256=030798747DD5D67ADECA77827C91EC4245B5F4760D780B8CAA59335F9C08F772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.075{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000446839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000320545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.542{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-099MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.273{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C6CD7AB479D9603AF0100751D4EB25,SHA256=6CCD5BED9B02AFE4D6DC6E9B7DC4BC2EB15AD0D7C0BFFCDBA2076C109ACCB677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.408{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A1B91F3BA43D5E279E235C61722F746,SHA256=F86ADB782C801A363257E8B8D11732AEE70FCD17382D68C176A6420DBB3EBA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.361{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E48DC6697706B3CF34036FED758D4F0,SHA256=744E4978D440C122D10B94C7A403D816E9FCA700D646E5F2F184833AC61D7F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.021{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320695F230B49777C1FF9196159A9D7D,SHA256=DB67D0CE05B56507C128446B982763A0751B5D0B793AA4A4A2ED2565970BCC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.555{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.363{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E621562CFEF6B29CC1E4F3B9B6FF51F3,SHA256=4EC3AE0E8F8B51B872A6D161130229E1555794EF2FF299C35EAE9DDFE40BE4FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.814{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:48.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44DCD969183947730E377A1DA6538CC,SHA256=64A488796530A2D0C65D470F288BE74DDE664D76F7BD3A16A37CAFF234C5F009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:49.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82D8B8DF0274B021F4C65DC59A8007A,SHA256=11A0415D2B9B15A1CB1B493DAE0A7E57AB9033FBC81F293724929FF195BC0D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.911{45AAC21C-B391-63D3-B203-00000000BC02}53561972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.693{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000446876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000446875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000446874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.410{45AAC21C-B391-63D3-B103-00000000BC02}37364808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.207{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48349CC772F6E5D004B09EAC5E3E0CA2,SHA256=0A2D8E6F077A6397D18625919505C0062208C2C29802BE8A5C63A8AB3FA62932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.190{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:50.773{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84789003EC08DED80A4AA210C48F911,SHA256=0ED465CB8BD901CFB3869E2C45C4D1FC06DD9FF9ADB2B3021F930EA8BF1B6E12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.540{45AAC21C-B392-63D3-B303-00000000BC02}43685880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.369{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.290{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920A9DF9DEE3E4940F7402A0D298EE8,SHA256=8670871B0DD29AC2F4B8CB7F425953E8C597030932C5106DE42F6116C025E637,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50933-false10.0.1.12-8000- 10341000x8000000000000000446904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000446898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000446897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.768{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.377{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431CAEAFB18497B146D5AC119D424E7,SHA256=F07B2D1A7784D7E6CAC59516A6B1D7F3983417444DF3073A500E6E992701CD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:51.859{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870CD3CC7BAC09421FEA53D352A9E56A,SHA256=5380C8A550F68362B2CD332837576205F199792EDBCEB462144210EDE0D19423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FFC9EF0B21DD81F1ECFD7CBDA55B09,SHA256=437B094F6D97B770D6789A3CD57D4199CEDD10D841B11599ADE03E23FA7BDC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3AD7776C7C04BEEE3CAFC8D6049838,SHA256=EB889F0A0FEC830E616841B578E82FBEC8617724564A9E78610AD9C1964D2970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1E1B30AA4A15142AB6E1C3EE9A6B9,SHA256=F9D1F0595478CDEF551951E6E37E0B36C255EBFB0735A8CC9F2E1B7D245A8518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:53.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE50C3AF69F3038D8B436DDAE308F6,SHA256=4E78D8BC31FC716846C2148BAF09209E2220211A54B65C0212757F7861DA3429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.961{72106695-B395-63D3-9A03-00000000BD02}54286104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.883{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8BD50C432523D50DE0396F05B32967C,SHA256=B67B8F6C8DECDAA506622C111F0E80772822D3E67E5A4BE9D323761DDAF6F3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.644{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000446909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:54.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FB2400EF1579DAD9A75889779819AF,SHA256=44A4EA3196F518B53CE1D6E1AC9303195CE31872ECA0DFCA924A66A132917A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.791{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000320584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.651{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1191B08C1C1AB746610FF6455D70670A,SHA256=07E75AB9B507D9697E402FE2A1E713D5B7B3EEB5424F0E940FF0730582F3CE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.636{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.385{72106695-B396-63D3-9B03-00000000BD02}43845172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.137{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.086{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61278505151CB9561FDA58A876E6D3C,SHA256=CC730F5EC36A763A03E4A1DAEF91CBE1AE1623E5E8F929C41EDB418844EDE229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:55.956{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAE3C7042B2D4FE524C373D80994306,SHA256=ADAE613683A383AB324E954BF7AF214A2F0BA69A2554914FDEB068FA86A9A32E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.860{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.760{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.494{72106695-B397-63D3-9D03-00000000BD02}5988592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000320597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.521{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50934-false10.0.1.12-8000- 10341000x8000000000000000320596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.261{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.182{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE083F280940FA066499FDADE66D262,SHA256=4E1FF3D9C44447FF18CCEF55C109D80B38D39A1BC1F0A3563A98716FD19B5ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.638{72106695-B398-63D3-9F03-00000000BD02}12762452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.389{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.277{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E056FA5584774E9768DA7952B8F92EE,SHA256=CB3E5D29F6BE3A76603D5292C88C74A25D6992DE9F22F9E8709E7A44D82F7851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.706{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FBE6DD28E8E87A7CCAE0F6B58DAB5A7F,SHA256=7B234BB9EC3C66D6E22CF4E0DD917873EEDF2C0A07D97A05B9B37690A838CC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA613A098BE2041FB9A697B08819271,SHA256=49550F35BE0DC784503A6CD9FA3BE313DA51D22406AC6D449D8A54D22BB71361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:57.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1A818DFB3051B358418793C4B53FD,SHA256=8DF1911223C7F6512649A12270BF837CA623C7DFF6F415B37E490D878C9248FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.061{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.471{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A5BF85F7CC7AD24033196E74836491,SHA256=A1C2DE74583F60FFE8F8E01972D2BE64352F8911483C3CAB82E205C81A26045D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:58.138{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFA11222CD699FEC117F706E8678637,SHA256=7C62C6CAD6BFA965CCB2B116343725EFBC1BB0AD593DAFA76077A0C002B73996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2A5A47D44002B2F166D906EB7A0DD,SHA256=56506E933C47B1C711E2239A0F977AF12A405FFEBE2BB8894497A08847C3C53F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.496{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 354300x8000000000000000446932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:56.885{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000446931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.489{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.433{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.425{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.367{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.242{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0624C6C111DACE073A526CCCCC40E97C,SHA256=9D9FADC6B3ECCF0771FE6DCF9C0AE556B861FBB26B3EEBE9FAF4601366BE408F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.701{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.692{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.689{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.656{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.612{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.607{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.605{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.601{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.599{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.597{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.593{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.592{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.590{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.589{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.588{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.585{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.582{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.574{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.568{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.560{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.558{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.549{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44803B3F219EAC3894887467FF402B8B,SHA256=814084ACA14DACF991B537C53EFDBDD5FEBC19BE69461FF4FBB6F8716E4CBE88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.527{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.524{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.512{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000446939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.274{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB58ED00017A37E608E6AABFF648A67,SHA256=202F72E42A641CAC2F1B6A4BB3E8B39E097EDA479A7A640BAA4180386B4CFD27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.440{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.432{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.417{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.374{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.357{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.345{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.334{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.321{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.316{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000446938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.097{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.095{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.089{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:01.378{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB6AC3BC4134B57B4C6B662FC6620A,SHA256=338EC3EDE2B3720EE7EDE77478D6897A5C3F61C9982DDD8EFB5870D5DBB842B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.421{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50935-false10.0.1.12-8000- 10341000x8000000000000000446960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.789{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.776{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.756{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.709{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.700{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.672{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.668{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.663{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.660{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.658{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.655{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000446946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.564{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2682A7CCA18E647ADD1933C79F39B443,SHA256=DD775C1DE8EC3459E121662626FCB2DF72A8D3695196713F0958872B8C0683B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:02.073{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B9AEF7B8EAFC702865DCDC8401855D,SHA256=216C7678582525FBBAFD44140B08E86792165118F93DB1C686535CC797B26251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.142{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.141{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.139{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.127{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000446941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.115{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:03.154{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE29B45EA25BE80EA8C2A24998390B,SHA256=4D28F62997078B0E9FB8BFBE28CCE0CB3B810A8AD943711D8D4AB235AA8C29D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000446987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000446988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:04.148{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2AB67E4324475B1ECFE155795363CC,SHA256=796B2A9DDDECBE869C97592AB1D93FEBE7DAD11D0D3EC22AD8576E66811E8F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56D005E2FEC10B7E1F61ADA99D39B5D,SHA256=44318487D1984F120E0B224740F5E6CCC6A7D7D816FFCB69F622F5654092214A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.817{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.348{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000855E3CBD935CAAB4EE16CCC3034D0,SHA256=8BD6F44A99011F4ED797E3E1D49454349C07718B5F73890E0667F8E535B61F96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.535{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-099MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.295{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC580FBFAA8246ABB7A8D5B01D62E45,SHA256=E93CB3420B2986246DAF784D688714284566CB991A5F3BA71054FC5F9939A0E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.314{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50936-false10.0.1.12-8000- 23542300x8000000000000000320677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:06.440{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4C5DE26A1D0A0963FB845212F036B,SHA256=F4D19A9BD841EC5CA348E3571C3DFDB34DC4C565B21DED8733352EFD95D20F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.546{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C26CFFB6FC29FE9F7848917AED59A,SHA256=933567216B47B6867F9224ED78741C4AC1A367C5463616082CF82C7122D0EC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:07.530{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B239E3395728FADE226B94AA2777F18C,SHA256=AAECE574968B8C0EB523E12520EF4DC66FFA69227100E7DB6B89E59DB2D3C74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:07.486{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BD0D9CBF8A20A9DA9CD8C0FF4B205E,SHA256=9667BCCCB7D0B943C5AA5D29B5795394FDBF5650DDC311CB1F049B9A47B13504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:08.629{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8343617BA2BD7CD3E39853B57639300,SHA256=FEEA15814633D7176E484924F7AADFB7B37B1F6CA59B9C7F8ECDFBD6DDF719A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.565{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386A920848EC9C67307C77D913DEF5FF,SHA256=DEC4EE1EE6526007FF44BF3DA2FDC8F93516577FC918453A6E2ED4EDBC6EA6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.730{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5352822EE6DB2BF3CA944F01FFC34D31,SHA256=B68C34F85CCECC03F9C97B5F4D18E57CB9EDE5D5CE5AE7A8664FC255E3ED99BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:09.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34FD7AC55693C24B9316ADA301806C4,SHA256=22C28DE70B291B06B34677F213F58DD84EF279E062C0CF4C25843ABD96BA9C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:10.826{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E0EF62BE8072F8ED3ADE6D4E9DB474,SHA256=652B848B83FA6E39F1ACD6E61CB97B87ED7602FF3E68DEEE23D6FAAB68AAF196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000446997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:10.737{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0198FBAE7B95CA4C4CB4573D1056CB9D,SHA256=0D14801BBCE917FAA6F06EEDF505C131DD2C102C38462387DB7497685DE797F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:11.923{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E996DA48B61D9255186D5657A567335,SHA256=A1EBE2ED496BC0E1A7FB8CEC831B85CB1C6BB2C9E31C022D48F590A7B53443E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000446999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.746{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52653-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000446998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:11.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E17A7C336F292B3CAD12A01C0FC03C,SHA256=E1ADBB400995BDA662EEFD4EDF9359BB27B77C1EE475382FBB7E2AC4D0663FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.501{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50937-false10.0.1.12-8000- 23542300x8000000000000000447000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:12.925{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE630EDF78C45DD2FF3CE4DB9830ACB2,SHA256=51B0FB08E0C04E8348FD4AC4990C2F60F47D9C91B6CD3E2499D93293E5006761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:13.011{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4F34153CAF3F9CCCB072B7F7CC023D,SHA256=A145A8A5D0AE3E0406542BD9E1F68F4724432B668E6DA25D344D201AC9703B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.994{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=314A990B7F8323AB813B5BBB4DA74BC4,SHA256=F663C70415106C0F416EBE9B9F2154FF671D9648B649453A926D5270696F0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.108{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4F5875E073CF0E04F1EFBEC38A8121,SHA256=44903232BB7BF4FDDD2C3A01B7317694831207FE9328335D5D65A6688131CC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:14.017{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0EAB1902F8792297DB2250986993A6,SHA256=F9A48BEE7619655BCC9928DB74FDB4E86053084680BCD5905D90CB1C6C4CF825,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000320698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000320697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f) 13241300x8000000000000000320696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3) 13241300x8000000000000000320695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3) 13241300x8000000000000000320694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3) 13241300x8000000000000000320693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000320692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f) 13241300x8000000000000000320691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3) 13241300x8000000000000000320690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3) 13241300x8000000000000000320689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3) 23542300x8000000000000000320688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.199{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF29F4E36531BA85956C1BBDBD7BA08D,SHA256=AF777C830D9538DDC1D62BA203DF1DF7440139336ACD5FE457B4488AFBBDDC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:15.118{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6447253922C7BCD05F04C7D3B692F,SHA256=A7385201521C84DD7E9A7EDDED526C46B57C17CE55FFDB4C3F1806A097B830F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:16.295{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06980D05C7C6EED4DDB83ABE132D0B6,SHA256=507F601C65B07EF93F9B04815E0BDA013EDD70E9A298C542FAD3827E6274C9B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:13.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52654-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.223{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A71426151A9481A7343205471C4C1DA,SHA256=718975EC1334A61CB4E11432D68850A12612D13F3F7295CFB6479B855812BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.175{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAD96115E5E5BB3B5CC9EBB6D1AD0BC2,SHA256=0A933AF96C8A0AA89C41F9B93DB31200A4C0D0C0BBBC6A08F87FFF6954D37C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.390{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50938-false10.0.1.12-8000- 23542300x8000000000000000320700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:17.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF16E5B54666C0706A38F828D30F85D,SHA256=90EA273F87A0A23238F1CE6DF54BAF7A820A939C6DE94EFFC700F68615B87DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.571{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F14CDE68856A317E76A1ED1A232D7D1,SHA256=4B0F5B948D73438525A1DD2C2F6150A8EADC4A379F9522E96F7DE451BE6949CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.220{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219D352CA8D110DF92ECD5ED38D3E4A,SHA256=DC76787959CA4AC8322137488D403EBBD9B19942C9D01A2D25101A3FD9597BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:18.490{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A4F3707C69232CA23F2DF6F853838,SHA256=D23C46BC3AF2999368AE98A0645F981C77E7E9C2B298405DC0C300B70BEA3B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84AAA54A648F851D8B1ADD26DBF3C25,SHA256=20F97E11EC95F5A73BA385ABEDF985E1F61F5F333F6E94F457ACAD0A4562C834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:19.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FB5929202917AB09C61955E29E4D9,SHA256=FD78D518AAD21612EAAFA30D6FDA6CFBD3DA4F95B0DF07374A85662106C9E8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.606{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.590{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.577{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.573{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.570{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.567{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.515{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.480{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.467{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.432{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.397{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53442C613AC75D7EDECEA9342A5C3254,SHA256=6E0B487179042E0ADDC32D966FED1A8F7FBA315725FDFB7ABB459EC6D54B2825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000320741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.771{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.758{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.754{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.720{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.715{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.698{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.691{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.687{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.671{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.666{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.664{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.659{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.656{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000320728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8914CA9F1536999C292C9EFFD407CA6,SHA256=50DF01D23A06D2755268D5FC9984D9EC1264806DD79D017A7DD7136E4A9E18E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.653{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.652{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.644{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.639{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.621{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.614{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.610{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.600{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.582{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 23542300x8000000000000000447034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.417{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674CFC8182E57BCEC470DF76D4027A30,SHA256=20577F151631BADF63E25673E638811A78089DD48A537175F26A8CFB673BA6AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.579{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.565{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.502{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.492{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.479{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.464{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.456{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.447{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.433{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.416{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.366{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000320704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.362{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000447033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.242{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.239{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.236{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000320742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.736{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CD9026B05747F7D8332351B899EB53,SHA256=E2D155E9537E300CD31212814909B0E2B61322FFD519387197716B8F2E2B11AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:21.630{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB5992836879C1C27C421C536B24FFB,SHA256=1999835DA0FBD97A920ADE1BC9DF0A01ED22695F1750A1AFA625F209769A28DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:22.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C32A63BB5E7908C74B96080C2FC3838,SHA256=5A3D58195418E0C4813CF0497CF53F66F4862C7DA436DC0BC9039B3D43921FD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.917{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.911{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.900{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.857{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.849{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.830{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.828{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.824{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.813{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.718{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760152D3CF17ED9DC8493F1A9D53A775,SHA256=0EB8D5A932EAC91BDAC7156D31EAAD550BE68175C3BA184ECCFF9D18D18C5B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.300{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.282{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 354300x8000000000000000447036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.919{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62291418B759330DD879CC0681E1CFD7,SHA256=D8BFAD913A61890C90F6388130ED1EF755B9ECED7A8EFA491D24201A17D2BE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:23.876{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342E37D9A63DAF2A12437855D9453DC9,SHA256=1C9B2E5150C4827F92B9C1166C5796CF1C9FF4C47214422C734850334285F544,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.398{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50939-false10.0.1.12-8000- 10341000x8000000000000000320747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.139{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:25.080{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC172BAE7F216EDF909DDEC2D6EEB99,SHA256=F9539B5E018BF0E6322243E92146CB461C2C0B53C2D8B714ADA7A74E611B2C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:24.999{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33435D48A74D8F1939178D5914BB3627,SHA256=333676AF8188430FB9DCA7E2F179D2EDB7994D57F8D1D7933EBEDB8436F5A323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.087{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A87DF1230B8C6C23B71628F8A9D1432,SHA256=56B387A0D152D38AD1EC95DB2AD2A96159B900ED3E954D2FE5E6ACED4F0A0B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:26.286{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCD5766463DAE4CE0164F450555C0D3,SHA256=BD6450A57A45C231433F5018C4E097934D3A605F74FE36EDD72A0F3FBC621128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:27.198{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC94DF60215FB522A58481F9EBA16EA,SHA256=74860DF1FAB9D13B27BABBA41C163DAE334F45A404718000BD477A6162806241,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:24.795{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:27.491{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74515AC2C362C23D962B36FB14EFAD20,SHA256=EB313ED357E8B92967286D37B35430E73EC753C1250C1E21CAEA91FE52DDD55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:28.574{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8146BBAAA54AA160BF4C10042580C,SHA256=97D00AB7A2B30458FEBE8C700F9D12930773F1A62E575A568891E434C5F90312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.300{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4867EA84CFB6F4F34B8CA585812E58FB,SHA256=71D66A4A9B1DD6DBE778E6C833B393AED3A884523F77D5CC059B25FA6D9EB4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.064{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B2F5BDEEA495E65149F453009F645CB3,SHA256=816E5D07EE712116811BD30ADFDF47F55E4A47C3371A3DEB94DE0BD9533F96F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.661{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8C89CDEF22E91C60BE906BE74F8E27,SHA256=8092B0B36FCA0B13692D071D7952E54B1A984318F4B2DE580B14C39EEA442BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:29.393{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6FF60114FA6C06DD16C801AC243A70,SHA256=36619EAF7CF10E0D743553026F811089EA545F3307A5D44546B779BD63F5523D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.482{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50940-false10.0.1.12-8000- 23542300x8000000000000000447064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:30.741{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5EDE2EAC0B52C2284299E7927B4D76,SHA256=95E418C150ED5018F566A12E34FC8E798F53DD81977AFE135CA55AD83C02064F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:30.485{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5974BD570F2B2A6EC2F24552D8107CF,SHA256=134EAAE2965FA2857D8902D7B0C61A866F13C0774BA326704A734756CDC54447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ED6E4D0BB6628A3EC9D871EF3B23F4,SHA256=85F9B2CA1DC467BF1893E1978FBF5E5F583160C3C87BEEB50C6E970A33253802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:31.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE1208A9E6FB70C276E0F6D77290542,SHA256=CDE4FDE5908160FCC07715CF12364276E692431BE53A1E8A825CF97D6B710ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.919{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7324DF457703504723D60E0167ABC867,SHA256=654460DE0E1B131EDCCB5A72FA4F8E94D0F346E6AC6109F5EE234B4D3FFE278E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.760{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B914534AFC5E62F553E1CD41CB9EAA,SHA256=59B950EA95B0726CE76DAD70A75FD9E21ED2809C43071A2B73C876934CC087BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.815{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:33.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646296D85A950F6F8BA89920177A248F,SHA256=CBB35A7F57C6F388F83A12B47BF6ABF6307BB95BED3D743186093B4128D4B425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:34.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E43F798DFECC28114B9703036DEA1,SHA256=02FF8B98A33096F7B0188FB41D23B761DECE91539239BCAEB992FE731DC19640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.083{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E903DB567EF7FD25DBD2C972604D15,SHA256=04087EFB5AB417B4788F5A8CEAFBF397776FC25BADE6A185EDDCA9CCEBA3CAA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.767{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000447070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:35.117{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB9E8F36CFD8985107FC214D20BC0FC,SHA256=7B48762F4346BF9F837C0CDD9BBCF15905AAB78F09D7813D67849A461654539F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.469{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50941-false10.0.1.12-8000- 23542300x8000000000000000447072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:36.218{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4546D600121E5170B23787AB837A8C,SHA256=B6EBD333F9190D9D9475D2306A1FEF81DA8F860E35DC0CBFD71D86CE1ADBFA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:36.041{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4DCDF97ADC04418C4BD4CF3555BEE,SHA256=D15884BC47EF6B89C8F2887C0D36CD72209217EA10F6B2FEB1021338FE3729EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.917{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:37.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5BCBF62B4FAD8FA7459199554BBA7E,SHA256=93CC28DCEED7DF7B9548C110DCBB1104010F96C0191512F53BA136AAADB29445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:37.152{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8819B12CB21F738C1DFC583CFEEDA1F,SHA256=D7B7DCEAF0D4F7E2E9DA64F5AAF8590EAE16EB995036327E596B5872C924D20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:38.515{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226ED49691E2DF51B9765522489F173,SHA256=6329E1DE43C515DA1EA21E2466F3666F564240ECC07DC60C703A094320B82031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.774{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.252{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E911E5839EFF654A90C4A581D9E17C89,SHA256=3D1A8BF1C1AEBA04A99C799898378349A9F2406DFA7457CF0843BBD04AA7A354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.706{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92636372852C2656EC16CE3CB7A9D7AF,SHA256=F3765AAF7333262B91E8449B7B01CB41B9C3AE1AFAEAB76FEFE24053D117E909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.597{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:39.354{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01539140FF38944A4D0EC198B30AD554,SHA256=A8FE7C6BE759CBA49436D0AD90797F78170835628032304231C42841B544AF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.580{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.561{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.555{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.436{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.421{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.370{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.640{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348DFFAAFF4FBCBF0DC034090BBBE178,SHA256=780C00E5A8582AD97080E493822BEB5DCF481A1B5089645CFEF1AF69981050E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.779{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.763{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.757{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.714{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.702{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.675{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.664{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.661{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.654{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.653{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.650{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.644{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.643{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.638{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.637{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.634{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.630{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.624{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.611{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.604{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.589{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.585{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.571{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.548{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.542{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.523{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.461{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.450{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 23542300x8000000000000000320778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.436{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0F0807CD4FF9F03F6D4B37EC3DA85,SHA256=0C4F2652FE173130066957DC131D4DB4A5D60D86F7D711B5824EA9B582909478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.425{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.409{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.391{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.380{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.368{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.355{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000447100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.234{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.232{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.230{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.228{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000320771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.337{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.326{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 10341000x8000000000000000320769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.322{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850) 354300x8000000000000000320768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.027{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50942-false10.0.1.12-8089- 23542300x8000000000000000447102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:41.750{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EA5E4D65487EA309F7DF0AC6895095,SHA256=F6987A1A02801A640292A1CB6073BEA11BB2501421ECFEF47D43188912629A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:41.756{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B9161DDF781FA14F482D08178EAF15,SHA256=5290A2330E19577593C6A31FD14C655CD2DA0091D100689A4705A9C0BF521968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.403{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50943-false10.0.1.12-8000- 10341000x8000000000000000447126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.969{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.932{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.912{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.842{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.829{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C75B7F006CFE489D714565444FA9D1,SHA256=9B716090745036A3CAAE4E6BB560695F02CC10655166F15267C86861A1C8127D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.812{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.810{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.806{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.803{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.802{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.799{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:42.842{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4621C2336E78A3448C6F053FB4A3573E,SHA256=3C8803D9DC1FD42705EFA15039947ED7D9FB414A31BF674120B677610E442EA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.337{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.289{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.288{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.278{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.271{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000320810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:43.938{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCEFBAE15ADD822B517E670CBEC2444,SHA256=934CADA93FC5B259C6C040B1C3FC04190BDF5B078280E5D88DACC28D196F5C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:43.914{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067AAE9DCA92829DE1C8FDE2B220F65,SHA256=81F08A99AE3BC7A397AA1E78D0EBFFA0B11FF99023C77ECF423384ACFCF47F07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.858{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:45.260{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28821DE7DA7775E6688B59FE4389CD4,SHA256=A572FF1F30428466EADC7DB2034061E4A98B0D9D9E987F643B6C7D9EA29500CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.968{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.010{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE70893F214BF8BFC639EA911A78D2,SHA256=2D32123C38877EFF158FE48B7B3DE0B1EEAFAE686E87D18EBF08CA435A86A450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:46.343{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09964F116ED246330BFAF65D8B365357,SHA256=140F80BEE48099A0C96D7C6BABD8983081E071D6E43D4D8767CDD08B3DAE6A2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.749{45AAC21C-B3CA-63D3-B603-00000000BC02}54042144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.547{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.104{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFA28C911FEB77BDD37D5BAD665491B,SHA256=3817E120570E56C5AB12AA768FA9F9C24B5ED7FDC8516DF11A36E6A2A76BE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.088{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3AC92E251F37B91F851F13313F2E57B1,SHA256=FD04CE4783AFECB0BB25B5762379D176DF98ABE2C0CCF5F6B45114BE30E2E2B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000320814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:44.400{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50944-false10.0.1.12-8000- 23542300x8000000000000000320813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:47.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B3442A87C517987FC7A8E7E2B16FD,SHA256=FB468F76EEF68164D2955662953F4D9111B865D8E3CA18956A9CD24C1A0FBFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.706{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CE9C64865E7F462CF025F6BFD2B4CF71,SHA256=3FD7661F3C5FD5136873BCEB28CA09E58900DCDFC023C24AF973377C986BA5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.206{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BC9CC95DA02CBE13408AE7939DA6AB,SHA256=0ABD552555C21D247866BACF68476CE8BA6D0442576A37A96C7E3462FC39EDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.174{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.079{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24632734BD62802A460CAFC92D381A7,SHA256=763B41A54EADE044088A2CAF0CBD4D9288A3B8E5E6DC7A6413055082F9599F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:48.650{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B3C69F74C590824B47B9E6D250D06B,SHA256=7539A298FE0AA58639C9E2AE4D4E7EB0FF5C5D6F9D39B673ED4B1BEE00DB3BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:48.285{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658F8195DF8F42B5B4194B80E1E8E6C4,SHA256=8C55221CCFC5C3412E2680F78D001F3B90D1305286C04F21C5BD7850063E1DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.850{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C848F9670F361B4E0C6D94157B6BD3A7,SHA256=3D485F9680D7A4468C707A95CA28D104C5275478FDDB3CA32A57D2D21600C49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.949{45AAC21C-B3CD-63D3-B903-00000000BC02}31205644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.685{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.402{45AAC21C-B3CD-63D3-B803-00000000BC02}40041120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.387{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C10176E214D013F9F1C431F3F9E4AF,SHA256=9A6B195900CD0E8D833A6386C6360B4168524899AFE3D0488DD3EA9632F11092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.089{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-100MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x8000000000000000447171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.183{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.627{45AAC21C-B3CE-63D3-BA03-00000000BC02}60883812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0E2A8209FABC30BF5DBA38BB59B676,SHA256=C48A98BBCC8F66A36F2F63443BCE012694CEB8F422ED4D79CEE395FD08946E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.101{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.362{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.730{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.573{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79292E3A96FC93259EF6139B8BBA3F,SHA256=4DF7146DC36E4C912500B87F5317A1BBDFCAEF48DA9FB1ACEBCB72748920ED8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:51.037{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0609C0E45135942DCCA73519FE01D00,SHA256=E6CE2AF7C4C00BFB3DCF6EDF1342862F5923E3D8005271D079D4AA0CD7C5B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.846{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A6E9BD8DAB9476BC59599E82A4DAEA,SHA256=93AAAAAE1E67764AF5D65E2E368369EFA5E3EEF277D3ECB7BA6C0F29E1F46C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899779A40040BED46597CD7FE455D1D4,SHA256=14572EE8E981376F9DDEA7E4D8310A19EFDFE1E02472C6F0D174AEB7049E421D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.368{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50945-false10.0.1.12-8000- 23542300x8000000000000000320820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:52.118{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AFDC75398A2D8130FA0A7740110018,SHA256=9FC3A90A1BF3AEDAC2635272202F74754622DB7FE3FF7744D69DD4AC75C75930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:53.768{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E64031312379B694D58F59E562B9C47,SHA256=C972826CC0B40EAF08FA180956549F2576557B7B3F28F2416E553563AE70DA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=084582649F216365DA6D0ED1C818E8D7,SHA256=7E4B85B09216794BE618CEFE00A2F48DD3413621770B323F4F3DF0781646AEE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.687{72106695-B3D1-63D3-A103-00000000BD02}39323336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.513{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.215{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB594DDAFC937932E989E314A62C4FD,SHA256=25BB90C65D74E66F19A3FC5F3916292858956A4CB2EEFF78723B488961D89F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:54.855{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D0BEC6299363D29B952D3D2D63620,SHA256=BE0D96FF6FDA67C350CB4F3483C2994F4CEA35E3723370C44773C5A2D1163982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.832{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.831{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.828{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.695{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.600{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C9C038FFED7617B305C2B16FB27EDB,SHA256=1059972D92038A8CB4513C09B9CD28435F8D07A02969216DA955C4C568441188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.397{72106695-B3D2-63D3-A203-00000000BD02}57645760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.303{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AE6D9AF1B518F37E260C2950DB67D1,SHA256=412C013E7BD19AD7652C49E281E38D79B38F1ED09952DB265E648C70214414F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.195{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:55.957{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30929D82FEF0EB06A0493E54AC71394B,SHA256=61FFE7C48D06E9F4323ECC7DA8445F5961E1C2F73185B44D8F43F630F10ECD40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000320874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.866{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB9CF9A278A7E78D1A45EC23A90DD2,SHA256=D4094C79BF2D13BD062E697CFB85ECF13BBF687A57C3CABEC877251B18E0AA90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.366{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000320891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.746{72106695-B3D4-63D3-A603-00000000BD02}59285952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FB60E9BA96EE3B7FB48AD22499B391,SHA256=26E57F0FBD611D80DFD7790FA95991B563E92622882C1797083FEEA1269CA9FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000320881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.053{72106695-B3D3-63D3-A503-00000000BD02}58645908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000320900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.562{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED68BFBD35E3F9693A278C96C4BA0C,SHA256=F76939537798E974B22B6E21C6B6546BB1AFB48B773502DB4BDBA815688170EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.055{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FF50D90DA6EE0B743AF5B28A9ADF3A,SHA256=1A82AF49CF48D1368239C0231D2C057F7C99448CF27FFA183C3378C17DF8D02F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000320893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000320892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000320902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.647{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860CCE2FC51F29505D50F17F7312B5,SHA256=D7F0F87E9978D742B264F2A4D7EF77A0BB0F93DBE286A9CA6CB0C45F6F399D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:58.144{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F826D1335FBDF4C0FFA9E63729E4A11,SHA256=D119C0274330F39A1B4741475AD054882A62C5DA569E2822A80FDB51CB35274F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.059{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=574CD442FEB584AC4FCDBD289B662351,SHA256=552A05E4DD272E5F541CC1BD0251509D898DCC067FBE26629462686FFC6AB0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:59.745{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F816758DDDAEEDF82908C529494001D2,SHA256=0DA6AF9629F1016D9E9B681305DB49B663CAA44FAA92B59EE09B47FE2886D55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.329{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50946-false10.0.1.12-8000- 10341000x8000000000000000447232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.533{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.409{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5AF4F6A42DFA1CE5A83328DFD8615,SHA256=519C292D72B865650A35387655CC8A0473BB207CB74AF84609FC2A2D11F42379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.987{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D85A98A7D5DACE870808AFCAC4A50,SHA256=50A3AAC8DAD33C9D295582D930DF3DE6D1ACC60A360A4420C65C289E0794AFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.837{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.352{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1125C03CC60453261C073D4AC0809A2,SHA256=674BAC696EA27780E3824F4812F7C06C965C2330BFE75F0F0271AB2331A42636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.640{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.625{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.621{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.587{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.572{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.548{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.543{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.541{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.538{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.536{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.534{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.530{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.529{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.526{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.524{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.521{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.513{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.506{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.497{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.495{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.488{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.475{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.473{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.463{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.417{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.408{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.400{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.392{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.382{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.375{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.360{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.341{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.330{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000320905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.327{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610) 10341000x8000000000000000447237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.156{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.153{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.151{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.149{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.147{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:01.441{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6C2066238897F2C6A0CF695C246F6A,SHA256=05E8BFCD1FC586173F8131DAA7D82C6BF94684C816832F819386E06A92911A80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.859{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.839{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.811{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.771{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.761{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.748{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.741{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.736{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.731{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.726{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.725{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.722{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.533{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C30325BB5F4E11C685BA5A803FD65,SHA256=02C6388AB51CE33459CC09A170A0CB8CEA2F6A9AF39BF04D9665A433110D2B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:02.107{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056ECD859CADE28E10944E04F920B2B,SHA256=43E3732A5098B26683BC7574AAA68E3FE929B48365864FD2C42386BEBF613FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.212{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.211{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.209{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.193{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 10341000x8000000000000000447241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0) 23542300x8000000000000000447261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:03.599{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C3128F3B6BFB9FA0EACCDB697166F5,SHA256=5409800C2275F9BA941992B8E168F2DD631655B5E4E323772FBCC748565D1262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:01.344{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50947-false10.0.1.12-8000- 23542300x8000000000000000320944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:03.218{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7439C5BC6A2346A6396F3519423A6FD7,SHA256=855CD042DCACB72A0AA40139729DF43843B860A4AF57CED81A76BC3C52460433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:04.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DA44CEE8340512015DB0B3E28FF328,SHA256=234BF57A0AB09A4B2549E6AB75DF916B26DAE542293183C11BB1376A20D9634C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:04.311{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808438B0A2E71386BF6C320D65F3F1B6,SHA256=326AB46A24F8CC3579EE93B8B46935ACA2BC5F794ECB6F60DA2732BEDF34846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:05.764{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF74B124F4115867EE89CB0AFB828E16,SHA256=76ACF8F02490E773903B6964852D74A8FC245307EFC70B578F18C1AF06D0EA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:05.395{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26111B0E201C393EDEB33D4144C51B,SHA256=D9A0C1B3E67691CC8D9797925A1C83EE4FAA95FEF0BE6C74450AABA025535FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.924{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:06.865{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721754CC6A7CD08D2B323B98E41FFE39,SHA256=3B92BC20191AC4009E9D0CC9E7369F095BBDB3C3141708D29184B7F669084CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:06.494{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8AC5B3959E3345F1F39B50AE3E91E1,SHA256=CC4E6B025B28E282A8769E23CD838937C97B0F11AE656C2E7FDF1C5E448A3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.935{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FD361059681C4301A238D3004B5A8A,SHA256=CAE627B742FF571B82368CEF316E23985676DB0DDB32D018DBC0D940F7B1AA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B502675502B252C6B564460299C17FDE,SHA256=66C366C2FA113DC6E5825A1F1EA6B8031C960C7EB8209332714F2222D7BFA6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.071{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-100MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:08.675{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3817103C9F0F8D4EC269467BDECD82,SHA256=D627F44862C98CA67B1F109203851B0A278B394B6BB6F0883B77284616056CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.077{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50948-false10.0.1.12-8000- 23542300x8000000000000000320951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:09.770{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA749293DE7CC9EA2730BB20518186,SHA256=68BD4A7F1D44995C4EDDA6ACC114BBDEE4DF2263228C1126BDBCADBDDC0DA0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:09.127{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3749548CC4C8FC891379343E2523D7E,SHA256=536D48E4A9065C7A0BDF7CCB73600C710724BF7306E72916BF718440AED6E849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:10.857{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBA79C913BF0DEE3D3F725215294C03,SHA256=A31A25A4ABA3BF9B9018DC8E61916E0A359D646720606FCFBC2BC471FBC3AA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:10.301{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AE681ECA4D1C6ECE6452A6F43E8F46,SHA256=8F86FB840D129E3CDB29745A85A9E54AA910CD084676A91ADD56FCC39F93823E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:11.945{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2049362D7305BB73BF7976E446C5A4,SHA256=AB86E58152F08FD39B1672909C02BB9ECC627EDE530CDD81236E55D2B6A6DF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.828{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:11.408{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4711D9043258F433A1B215BECB8D237F,SHA256=0C9811BF875605AD5E74B83E0D8A8A109022C6917237B0B6ED1DB0599796CF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:12.496{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CBCB6AC2EF72A000091459ADD85CBA,SHA256=CC7A6702AC9BBC12564A56D843FB13463A2385635FBF6BEF6BCB355489558689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:13.568{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030C1339C8A0B4DB71F360A067670722,SHA256=890C947539DFCDCF11531F8A143B1423BD40C9223A169C6E12A87B5DB1E9B40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:13.022{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49868B8ECCB131BFBC58C3D8A7A510EF,SHA256=59BE93B812357F2C3E66DE35F5E7F03F59E39CD44A735CFC1DD001FF6E76735A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.670{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D394577CF14EC3FE196464998A33599,SHA256=3BC2E15CE539C72792AE1685FE11038D6D0573FCDA8BE0AEE020DF47842012EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.996{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=840629E773C81CD84EC614D71F943F54,SHA256=A8337FA52391185CAAD08936015D5FA9FC31BB74ACD1A00857B6E21498ED7354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.113{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA009FE48F6F64105A1F7999BE56E7D,SHA256=78C19849F5F88E6C6CA549FBBE0FD0A41C7D17E63FFF9BAD0EDA6C292EFB411B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:15.765{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6E1CA095F1161558DE78B8AD38D1C,SHA256=374865436C905A1B73AE3AF91A88FF500E47E551004331C32AA8ABC78422A8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:15.208{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7F7AB4D7B2FBF71ABD71BCA788854C,SHA256=580F62067F424B7CD8AB0FA0913B827FF7C11E060E2A4744A5033484A97D42BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:12.339{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50949-false10.0.1.12-8000- 23542300x8000000000000000447278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.848{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523A2C1F364922AB22682DB6A0EABAF1,SHA256=D80A66E1F75412ED89F62DD589C3C4E43D8E7DCBFD73B5BAD3B1F7570FF0164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:16.308{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05316C73290A97064E933FAF0E3978EA,SHA256=6B26D146788E9ADF5091E51515FB99643083E2F2D7153BD035D1F569583DD0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.189{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8C7D89596A339AA67D67E2CB1BF415,SHA256=469ED0649A67B331BBE9F4B4BF64D2D38858CCC847583F3FEADB210CFD2DFE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.949{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB569AD126BB6DD0F41D21D4EDFE62EC,SHA256=9F65DBCBFEB9BADE9D458698E5665D92D589DFE3074C3890FA8C80E66E56DA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000320961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.411{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5A2ED0805531A588B1A8BF708ACA1E,SHA256=FD5B7D0D72099A1B92265F28961CD67A58DEA104FB36048B64BD3612A81D6406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.840{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3B9484D057ACBFB8D7AF362B5DF0E87B,SHA256=2E6F06F6037DBD1FD1D512F42B0247A6B8F58C6845000BAF5E19B766A5CEAB1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.808{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000320962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:18.491{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C1085341000224EB33D9D57416CAD1,SHA256=B1FD008E37E1561F4FBFDA258354E942213A31EBB2358EB4EA3B69A945AAEEBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000320964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.442{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50950-false10.0.1.12-8000- 23542300x8000000000000000320963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:19.590{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BE8D6A2CEA15ABEAA2DAEE6C4B354E,SHA256=1518998292B159813679CEAF8B8276697B226FF0A41AFEABCA47FDBA67C901AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.633{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.615{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.592{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.588{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.584{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.477{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.354{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.297{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.049{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3878639A8E98CC2F6B32791D429886,SHA256=47EF37A027C6EC1B840F86CF5991DBCA479BDEEEB889C2479C812650DC50ECED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.796{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000321001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.782{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000321000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.774{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.722{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.698{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.664{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000320996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.661{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A54608B34B1136D4D3C1A801AE1C9CB,SHA256=D323FB75D247094027B219948066B7C5558784F38CD0AFBF82389795135FE868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.652{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.651{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.648{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.645{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.642{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.638{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.632{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.628{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.627{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.625{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.621{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.606{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.604{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000447307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.255{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.251{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.249{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.247{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.182{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC467684C36B58355572EB79BC1B60,SHA256=4051400FA26299160DE9360785B25E7D853EB7478E6EE7A40164AA0116C6ABB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000320981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.586{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.583{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.572{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.553{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.550{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.533{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.466{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.453{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.444{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.429{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.409{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.375{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.349{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.342{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x8000000000000000320965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.333{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x8000000000000000321003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:21.719{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A319B456618F77D76BA18DF4666C9E,SHA256=FE8B421459090CC28217146C58E27418D6A44C5ED6A02C6EA2BDC6215B2B19EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:21.276{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F80923925DC69976BE8D2184375D8F,SHA256=81FD65F016544616CECE8FE8921485661DEC03B93D9CBE59CD82CC8D9177301B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:22.817{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BFCF5CFD56F9D70CDEE8E58520F1F,SHA256=A6803F36A977D07512986A439A49DF7928DAEE49BBA396F98B0CDD1628278555,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.910{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000447328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.945{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.897{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.860{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.853{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.845{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.835{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.833{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.827{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.823{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 23542300x8000000000000000447314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.360{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F8749CCCE17E1361939EA4946814A4,SHA256=946CB40B5C47939B22076B0E2376372B3FB73596E6500F20A0700C3FA54B6CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.293{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 10341000x8000000000000000447309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.286{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190) 13241300x8000000000000000321011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x8000000000000000321009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAE67087557CD85432EBC57F052FA3E,SHA256=C3CC72C6113DF73D05546DFF8694FBCDC87F69F43485C93BA58C1AAE47DFF358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:23.445{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E644D1DC932150E427D10DF88BC42,SHA256=8FD3BA121B52CA66DDE6206D292F30319EF53BE310142D25F356B5921B881B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.140{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.983{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11307A83E44B1BD5E00D82F2B12EFC53,SHA256=7D58D55EF0CCEEC26D99A1EBD36310C7E56E8C007695F9698686FE9CD0D0212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:24.542{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD57658119060C5ADADD16928AF6B74,SHA256=F3967F4E949B5A3EB63D051670F8ADEFA8D083957034DD1A4EFD1F27880ACBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=97CC2EFD17A78DF1244BB58418C73605,SHA256=D51D05FE13134418230786CC386F0A1226F6542C7C9920FAB166CCAA9C5C5F55,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000321016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.129{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000321013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.081{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x8000000000000000321012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.003{72106695-9B85-63D3-1700-00000000BD02}12241696C:\Windows\System32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.642{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1E59DB75022F540021CD501DF08C16,SHA256=FCBD1170AA45B99DC2C74B819FBCB61B8D03593291356471355EDF13DA6D11B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:26.740{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6BFC6BFB881ADD0F8EC65026CC5FB7,SHA256=2E531642D8E5301198F1B84955A0D466C95D5049AD9DCCE8397308FCF54FA0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.892{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.723{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.665{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321360C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B106-63D3-2B03-00000000BD02}9645340C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 10341000x8000000000000000321050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.571{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap16821:48:7zEvent8084C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000321048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.302{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50952-false10.0.1.12-8000- 354300x8000000000000000321047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.258{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50951-false72.21.91.29-80http 23542300x8000000000000000321046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.262{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B013EE036B07620E38C49E3B7FA5843A,SHA256=B949241142DBC891C836697915491688CDB99B582B47E00910506EED5B57BBA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.697{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63942- 23542300x8000000000000000447335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:27.927{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6333AB3CB91D25D6C58BC0BFD5B52,SHA256=642EF3389AAF7623CCEA5DF3C74228686756409E2A68111DB6481230BC46F939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=128CB24D7F730223B43028B82A347674,SHA256=8BB79F7CFF78BF1DB9599B8C156CD7BFE4FF5BF7567D0E3424E8C81786E41C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.408{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A696009B8BE18634CD3D9330A21440,SHA256=0EB06B0A69C1FE29BFDFD6A22C6F15C44FBD0242BBC73BD321B9D4EDE83DA205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.596{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000321083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526BD1F1BBFD2ABD7612507125FBB2DD,SHA256=A14D4F167F7202D9D0DF1AD843B3BFACDCC393F91812D81F020004DD4A97B83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0700DDF0015A42830F3544C41CC7FE,SHA256=0CE95E26BE39137F68A0180B830D1F89BD6A1C3C90774797A3E588236C97701C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.720{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000321081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.219{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=51E865D0DA3613F801501E2FD433944A,SHA256=A1730184B1A9FEB49370A913DE4374F35F0CE67E5452A5151DA4E5EF3AAA396F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.587{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A0CC5499A89FE46193CECC3517ED28,SHA256=A4A29E4DBC2CE974B5F4CC2F6892F0D68C6B4CD997E25866917BE50E941A1915,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:29.506{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exeC:\Temp\OfficeSetup.exe2023-01-27 11:22:29.491 23542300x8000000000000000447337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:29.018{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EC38C3D2129A0F1E6CCF3AB2EDA8C2,SHA256=89436C2E48E241EAE52A13F52A093FF1278C08B61B5FF1959F863ABE1CAA9AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:30.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FD04D707851DEEE55BD86BA0A7503F,SHA256=1F091B8932452E8537DD54B0FF66D595C95E8847274C01AE338D7DB4E6C009E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.109{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21743D366637C0B30AC058B8FB1C307,SHA256=EE9B05C4ECB68AA49B8729F38EDA972961205456D6BFB56828B82D13926CE128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:31.666{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B015791A48ABE1DD8EFA0F3C223577,SHA256=B5245441EB44EB2FF8295E236FBCA51C0FEE6FFB7AAAD13778FCCB59F8AB07E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.197{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FA0333B42568B34372169F7BAFB0EA,SHA256=7AA444A68D0F13A0A8FEDFEFC1E29FD6C5CA0F3A9B1D15BA6F049D3AFE2D524D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.335{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50953-false10.0.1.12-8000- 10341000x8000000000000000321125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.984{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.931{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.925{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.917{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.916{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.752{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CA20B831AF4CAA183794E3672CB8CB,SHA256=7DCB9717C2523BE7108A0F8A04FAC52E1567A6608B92720F428CBBE53157509F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.282{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A33BC2BE55BF880555DF7E5FE4AC83,SHA256=C850E46E2EC63F39298AC8C4AD4A11752F7F80D59819B9522E167E7F1A5F4074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\OfficeSetup.exeBinary Data 10341000x8000000000000000321103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B106-63D3-2B03-00000000BD02}9645996C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.126{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe16.0.13801.20266Microsoft OfficeMicrosoft OfficeMicrosoft CorporationBootstrapper.exe"C:\Temp\OfficeSetup.exe" C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=1B649814B0DBE3798D7426035C957FBD,SHA256=6469E1E2B57624EF62F5D36DFF93DFA0A50357B38350B565F395954A69327BB3,IMPHASH=6C556F7C64982E938EFD4571794DFE48{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000447342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.881{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:33.370{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E715FE50BBA7B0EB2C8946AB18CB6E1,SHA256=B19711BEB1DC264D3D5840203D0D5B158A1B36C05018E18AF49C0377DE9E6F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.580{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.377{72106695-B3F9-63D3-AB03-00000000BD02}46763540C:\Windows\system32\conhost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.222{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.205{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.174{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE3EC59A37096E67F5339642935C2F7,SHA256=5C9E1B87DCECA08B92C4FC1956C113506545C8C33BE6FB0A402665124F25D6C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.111{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x8000000000000000321130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.038{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x8000000000000000447346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65427- 354300x8000000000000000447345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51044- 23542300x8000000000000000447344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.483{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16341B0E43FBE1018D23730ECDD26F95,SHA256=9FE3A978A7FF07D0F5850DAAE62C51989CF9D39CBDC58C4F3E9E6903A98A2CF0,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000321168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:34.717{72106695-B3F9-63D3-AA03-00000000BD02}5852\PSHost.133192921531001648.5852.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000321167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ztfcqicw.uw4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.376{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps12023-01-27 11:22:34.376 10341000x8000000000000000321164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.358{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.336{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50954-false52.109.13.64-443https 354300x8000000000000000321162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.329{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50955-false52.113.194.132-443https 10341000x8000000000000000321161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.342{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.123{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.078{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.053{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3AE72E8117EEA707F9EA04C211DBEB5,SHA256=A60B044BEE9F7A1324A1727DC2234FF7710F8DD03299D55BDF91691CD1D72BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.051{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710A41F2B46CC54017AFB2DF1BEE1D9,SHA256=4824EA7CF91AB7FB94388BA04C8F2D8F3AC037EB2F56FF1AD39B8B7CFE863F68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000447343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.091{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.559{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E8771FDA239B4F6FC2A23B651B677D,SHA256=1A815EE55160C679F82DB6EA44E6D5D1F38C1A762FCA23DFCB4609F084B89857,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52998- 354300x8000000000000000447348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58423- 354300x8000000000000000447347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.790{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000321189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D282A4A20EA09BE13BE38E27166E575F,SHA256=596CB8E95B3DB7CB522B00D11DD7BCEFA0A0515800D75E2FBB43EC169D98FF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46B912D74DE4982EA7CBBDE5B21C10,SHA256=1589C1487088E7753A67B387AA180E3FD0D519D0EA663DCE60EA5CCE57285942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xqlgmawu.ped.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps12023-01-27 11:22:35.366 22542200x8000000000000000321176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.315{72106695-B3F8-63D3-A903-00000000BD02}6048ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Temp\OfficeSetup.exe 10341000x8000000000000000321175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:36.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8C17A75E58A6AAB005AEED9D6A09A,SHA256=2FF0F80E26821EF2B1A7C280CADA845B03F32086102EF89DBFF347AF8B86396D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B3FC-63D3-AE03-00000000BD02}48644360C:\Windows\system32\conhost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x8000000000000000321201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.884{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.844{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A22FD0E6CA604141CC79B1F5A89CD869,SHA256=0915C22CB4446CE63A9023B1C884E17AB2DE5463B7F96B509CC801672B065D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.474{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332A0538177F7AA151CCFECEC39B9DEB,SHA256=18B2685047F0478563A9DED2373786196D8C8FA76A72F926D4C86C8CF5A8A459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.364{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50956-false10.0.1.12-8000- 10341000x8000000000000000321193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.164{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000447352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.735{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CFBBEADA86C72C321F60DDCFEBBBF2,SHA256=5138AAFCCDA79C7E8E6CA08991BC005ADD2BCDD23FC28D3DAA201989B2944A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.975{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E43D463E940B342245EA9B320B58C913,SHA256=4CE77E7FB2A850FB70770736B978DD6580292F19F74E66ADA338C6025C8974F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_d3jk545z.krc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps12023-01-27 11:22:37.740 23542300x8000000000000000321236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.678{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE81706ED904FA828ED4290FDBFF95E3,SHA256=152044B5C3A98E6E8D57A64FFE80158623478D26DF9D42D91A65CB9F7EC8AAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.537{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E9B00958766BCCA05753C1C13DBA659,SHA256=082EE7125486DFF9869C55E298979D217734657307E767923C7B0DFE08657247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000321229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:37.412{72106695-B3FC-63D3-AD03-00000000BD02}5512\PSHost.133192921568843282.5512.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000321228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_02pkrd0i.lg1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.381{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps12023-01-27 11:22:37.381 10341000x8000000000000000321225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.351{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.334{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.320{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.157{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.059{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=477DD69D48FB2E71D268AB9CEF38FE97,SHA256=7BD858AB39D95CB025AC53ADBDFDA43C2C3B1003DEE2E181D211903E1FD12F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:38.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE6D8F00CC92520568B69DCD5A5AA2,SHA256=50BE644D3AC4F55653504131A47A4B4F5AD5F68626C11CDA3CF928FDD90F392E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.948{72106695-9B85-63D3-1500-00000000BD02}10401400C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000321284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.936{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29E550D41F9263B9115BF9CA7CF90C2E,SHA256=A6FAD30AA1B8B475A9D9A3727A2F12D4B4DDFC78E90B487CA702878693E80C8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.934{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.932{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000321281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.854{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x8000000000000000321280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.838{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000321279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.823{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.791{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C758659A6275AC78DF0FB4B4361513,SHA256=B67885E0DF12DB6BC8F0049F572BCAEAC8342B62AF8E361234D97A9015522FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.557{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.554{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\system32\services.exe+21fc|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000321259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:38.505{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSecc3ff9c-fa8e-4199-857f-b75585ed9495 354300x8000000000000000447353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000321255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.346{72106695-9B88-63D3-4200-00000000BD02}2308NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=4EFFFA1A69CC68965A020830F5849EB6,SHA256=B483BF142AF92CA4090161655EEB82EBFAE5BD835896B15A5680CD0824CC2C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.345{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=1161D921BD8756FC0D09FD5A8FF30390,SHA256=51426F2AD7CD6596FD9901BA303332AAA9A3CE8B8E41D49A482CA065644ED78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.335{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=D39D4B1DA933984BCD42FC8C9F39C9B0,SHA256=88E0663C2A1D43E4F65D6FA8CB51B18E421F3956F9394B8731D55A81ADFFAF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.190{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.189{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.186{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F439E8AC870F29B1F3199DAC8AA8C24,SHA256=FFD3D46770CB2C85FCDE2FAC4058FF6A1A23D2496F4CCE7327B7EC464F606EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.168{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=4EC9C6C86A2B618E8C869B7DD272B0EE,SHA256=8DEA3B617E28770368FF4E708938FC78D8AFC9C6D79D530B4DBDE5E347D7F403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.045{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000447376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.886{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE736B63A8E7CE514BA6F19CC7D92E8,SHA256=DD05A6A8AA71803466C2B07EE713D6F1D83E3E6192D8AC4FCE472E4A48E2DBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001- 354300x8000000000000000321319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.048{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50959-false10.0.1.12-8089- 354300x8000000000000000321318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-ctus-attack-range-21256808- 10341000x8000000000000000321317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F64870753C047B34F46942904FB00F,SHA256=6D44125926AB0DE0864E5E576685A5E8659F61AD757F7F4A0AC5FED4EA5D5039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.579{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.548{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E8BD7CC9E64831DAD05E0C1663506,SHA256=31B93541583E60229ABF5B6F84C967D5104A4F5FCB90DB61603E507C16FD596B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.532{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761DD7037D6CFE9776F2807725AFCD35,SHA256=D229E926B5569F88F6D16DE0FD4E26CEE45AFBA4DAFE8F454576E7F4C03277E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\i640CheckReachable43DF1BC3-3BED-4CA0-A281-3F36D5D53C5AMD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 354300x8000000000000000447375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.162{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56804- 354300x8000000000000000447374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.078{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57619- 10341000x8000000000000000447373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.486{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.411{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000321308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.501{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.489{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.724{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50958-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http 354300x8000000000000000321305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.646{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50957-false52.109.4.18-443https 23542300x8000000000000000321304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.423{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.408{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.392{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\VersionDescriptor.xmlMD5=734094314B1AD4B9A51659C4C2B6F662,SHA256=52C2539D10DEBBA4C8DB2F9C18E7B7805BC1F9E229DF7ED209CBEE08B82AB57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.391{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64_16.0.15601.20456.cabMD5=8BBD8448DC98A6B5A8852A09FAEB1C60,SHA256=FBA7F173490B588AB932C6E104FD9C59BF561E484B533FF0C3BB0550336EA443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.376{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64.hashMD5=A261BD5EDAFDF1EE98823D307848AC04,SHA256=5F8C91FB1B1004A895AB67CF027306F45937D97F757A3D3ACCC31F09C9C63E24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.130{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.107{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.101{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.099{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\v64_16.0.15601.20456CheckReachable5D0DC3DE-8825-4157-B863-B1E706CF6A39MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.088{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.075{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.026{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.010{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000447385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.955{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6BCFF9BDE48661C5909B00C14D38B,SHA256=02A61D1433AE3BA705445DB2526461362E51D29C9DFFB1E1FC4A8CDA88CB2133,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RClient.exe2023-01-27 11:22:40.971 11241100x8000000000000000321469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcr120.dll2023-01-27 11:22:40.971 11241100x8000000000000000321468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp140.dll2023-01-27 11:22:40.955 11241100x8000000000000000321467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp120.dll2023-01-27 11:22:40.955 11241100x8000000000000000321466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msix.dll2023-01-27 11:22:40.924 11241100x8000000000000000321465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\MavInject32.exe2023-01-27 11:22:40.924 11241100x8000000000000000321464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.893{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\manageability.dll2023-01-27 11:22:40.893 11241100x8000000000000000321463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.846{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\inventory.dll2023-01-27 11:22:40.846 23542300x8000000000000000321462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.815{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE596BEA2684543DBE5CA6C167BD5E,SHA256=A500F0519383C8279D933F01026E2DE29058886ACA4012F0CD116D781F391120,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\IntegratedOffice.exe2023-01-27 11:22:40.752 11241100x8000000000000000321460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\InspectorOfficeGadget.exe2023-01-27 11:22:40.752 11241100x8000000000000000321459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\concrt140.dll2023-01-27 11:22:40.752 354300x8000000000000000321458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-ctus-attack-range-21256808-false239.255.255.250-1900ssdp 10341000x8000000000000000321457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.644{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RUI.dll2023-01-27 11:22:40.644 10341000x8000000000000000321453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.643{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.642{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-tw.dll2023-01-27 11:22:40.641 11241100x8000000000000000321451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.637{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-cn.dll2023-01-27 11:22:40.636 10341000x8000000000000000321450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.635{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.630{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.vi-vn.dll2023-01-27 11:22:40.629 10341000x8000000000000000321448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.625{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.uk-ua.dll2023-01-27 11:22:40.623 10341000x8000000000000000321446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.623{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.622{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.tr-tr.dll2023-01-27 11:22:40.621 11241100x8000000000000000321444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.615{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.th-th.dll2023-01-27 11:22:40.615 11241100x8000000000000000321443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.614{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sv-se.dll2023-01-27 11:22:40.614 11241100x8000000000000000321442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.613{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sr-latn-rs.dll2023-01-27 11:22:40.613 11241100x8000000000000000321441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.612{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sl-si.dll2023-01-27 11:22:40.610 11241100x8000000000000000321440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.610{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sk-sk.dll2023-01-27 11:22:40.610 11241100x8000000000000000321439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.609{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ru-ru.dll2023-01-27 11:22:40.609 11241100x8000000000000000321438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ro-ro.dll2023-01-27 11:22:40.608 11241100x8000000000000000321437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-pt.dll2023-01-27 11:22:40.608 11241100x8000000000000000321436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.607{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-br.dll2023-01-27 11:22:40.607 11241100x8000000000000000321435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pl-pl.dll2023-01-27 11:22:40.606 11241100x8000000000000000321434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nl-nl.dll2023-01-27 11:22:40.605 11241100x8000000000000000321433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.605{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nb-no.dll2023-01-27 11:22:40.604 11241100x8000000000000000321432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.604{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ms-my.dll2023-01-27 11:22:40.600 11241100x8000000000000000321431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lv-lv.dll2023-01-27 11:22:40.599 11241100x8000000000000000321430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lt-lt.dll2023-01-27 11:22:40.599 11241100x8000000000000000321429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.598{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ko-kr.dll2023-01-27 11:22:40.598 11241100x8000000000000000321428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.597{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.kk-kz.dll2023-01-27 11:22:40.597 11241100x8000000000000000321427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.596{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ja-jp.dll2023-01-27 11:22:40.596 11241100x8000000000000000321426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.595{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.it-it.dll2023-01-27 11:22:40.595 11241100x8000000000000000321425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.594{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.id-id.dll2023-01-27 11:22:40.594 11241100x8000000000000000321424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.593{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hu-hu.dll2023-01-27 11:22:40.593 11241100x8000000000000000321423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hr-hr.dll2023-01-27 11:22:40.592 11241100x8000000000000000321422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hi-in.dll2023-01-27 11:22:40.591 11241100x8000000000000000321421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.589{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.he-il.dll2023-01-27 11:22:40.589 11241100x8000000000000000321420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-fr.dll2023-01-27 11:22:40.584 11241100x8000000000000000321419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-ca.dll2023-01-27 11:22:40.583 11241100x8000000000000000321418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.583{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fi-fi.dll2023-01-27 11:22:40.583 11241100x8000000000000000321417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.et-ee.dll2023-01-27 11:22:40.582 11241100x8000000000000000321416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-mx.dll2023-01-27 11:22:40.581 11241100x8000000000000000321415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.581{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-es.dll2023-01-27 11:22:40.581 11241100x8000000000000000321414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.580{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-us.dll2023-01-27 11:22:40.579 11241100x8000000000000000321413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.578{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-gb.dll2023-01-27 11:22:40.578 10341000x8000000000000000321412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.578{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.el-gr.dll2023-01-27 11:22:40.577 11241100x8000000000000000321410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.de-de.dll2023-01-27 11:22:40.577 11241100x8000000000000000321409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.576{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.da-dk.dll2023-01-27 11:22:40.576 11241100x8000000000000000321408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.cs-cz.dll2023-01-27 11:22:40.575 11241100x8000000000000000321407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.bg-bg.dll2023-01-27 11:22:40.575 11241100x8000000000000000321406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.574{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ar-sa.dll2023-01-27 11:22:40.573 11241100x8000000000000000321405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.569{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r64werhandler.dll2023-01-27 11:22:40.569 10341000x8000000000000000321404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.567{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.550{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R64.dll2023-01-27 11:22:40.550 11241100x8000000000000000321402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.548{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r32werhandler.dll2023-01-27 11:22:40.547 10341000x8000000000000000321401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.547{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.535{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 354300x8000000000000000447384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52336- 354300x8000000000000000447383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57086- 354300x8000000000000000447382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58701- 10341000x8000000000000000447381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.113{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.110{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.108{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000321399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.531{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.531{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R32.dll2023-01-27 11:22:40.531 11241100x8000000000000000321397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.528{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVShNotify.exe2023-01-27 11:22:40.528 10341000x8000000000000000321396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.527{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.526{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.524{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVScripting.dll2023-01-27 11:22:40.524 10341000x8000000000000000321393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.523{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.515{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVPolicy.dll2023-01-27 11:22:40.514 10341000x8000000000000000321389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.513{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.512{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.510{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.508{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.507{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVOrchestration.dll2023-01-27 11:22:40.507 10341000x8000000000000000321383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.501{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.500{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVManifest.dll2023-01-27 11:22:40.500 10341000x8000000000000000321381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.497{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.495{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvVirtualization.dll2023-01-27 11:22:40.494 11241100x8000000000000000321379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.492{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystems64_msix.dll2023-01-27 11:22:40.490 354300x8000000000000000321378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.325{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50962-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http 10341000x8000000000000000321377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.482{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.475{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.473{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64_arm64x.dll2023-01-27 11:22:40.473 10341000x8000000000000000321374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.458{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.456{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64.dll2023-01-27 11:22:40.456 11241100x8000000000000000321372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.454{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32_msix.dll2023-01-27 11:22:40.454 10341000x8000000000000000321371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.442{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.442{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32.dll2023-01-27 11:22:40.437 10341000x8000000000000000321369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.437{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.426{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.423{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystemController.dll2023-01-27 11:22:40.422 11241100x8000000000000000321366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.419{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvStreamingManager.dll2023-01-27 11:22:40.419 11241100x8000000000000000321365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.414{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvApi.dll2023-01-27 11:22:40.414 11241100x8000000000000000321364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.401{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIntegration.dll2023-01-27 11:22:40.401 11241100x8000000000000000321363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.398{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVFileSystemMetadata.dll2023-01-27 11:22:40.397 10341000x8000000000000000321362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.391{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.385{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.384{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\appvcleaner.exe2023-01-27 11:22:40.384 11241100x8000000000000000321359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.379{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVCatalog.dll2023-01-27 11:22:40.379 10341000x8000000000000000321358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.376{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.375{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ApiClient.dll2023-01-27 11:22:40.375 11241100x8000000000000000321356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:40.374 11241100x8000000000000000321353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.373{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:40.373 11241100x8000000000000000321352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:40.372 11241100x8000000000000000321351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:40.371 11241100x8000000000000000321350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.371{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:40.370 11241100x8000000000000000321349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.370{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:40.370 10341000x8000000000000000321348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.369{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 11241100x8000000000000000321347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:40.369 11241100x8000000000000000321346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:40.369 11241100x8000000000000000321345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:40.368 11241100x8000000000000000321344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:40.368 11241100x8000000000000000321343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:40.367 11241100x8000000000000000321342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:40.367 11241100x8000000000000000321341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:40.366 11241100x8000000000000000321338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:40.365 11241100x8000000000000000321337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:40.365 11241100x8000000000000000321336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:40.364 11241100x8000000000000000321335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.364{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:40.363 11241100x8000000000000000321334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.363{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:40.362 10341000x8000000000000000321333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.358{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.352{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.345{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.336{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.328{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.320{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.315{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190) 10341000x8000000000000000321326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.186{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 23542300x8000000000000000321483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:41.939{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EAB55D8E3DA01287B780600A283F42,SHA256=DEE59B851684B8B128ADFFF2A1A94BA62A4D269ACDB7311845F9CD2D3C935CD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140_1.dll2023-01-27 11:22:41.502 11241100x8000000000000000321481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140.dll2023-01-27 11:22:41.502 11241100x8000000000000000321480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vccorlib140.dll2023-01-27 11:22:41.486 11241100x8000000000000000321479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.486{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ucrtbase.dll2023-01-27 11:22:41.486 11241100x8000000000000000321478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.440{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\StreamServer.dll2023-01-27 11:22:41.440 11241100x8000000000000000321477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\RepoMan.dll2023-01-27 11:22:41.371 11241100x8000000000000000321476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.352{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\policy.dll2023-01-27 11:22:41.352 11241100x8000000000000000321475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.351{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\offreg.dll2023-01-27 11:22:41.351 11241100x8000000000000000321474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.317{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officesvcmgr.exe2023-01-27 11:22:41.317 11241100x8000000000000000321473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.311{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officeinventory.dll2023-01-27 11:22:41.311 11241100x8000000000000000321472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.202{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeClickToRun.exe2023-01-27 11:22:41.202 11241100x8000000000000000321471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.183{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RCom.dll2023-01-27 11:22:41.183 23542300x8000000000000000321518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.966{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\nettun.PNFMD5=BD6709D5BF215E2CF91048A8CCDEBB3D,SHA256=C32982286CA7ACA0C46BEEA357EB862D310C77533A196F711D3B5974AC12EDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.916{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=861603879DD967E87280D332BBF7A1F3,SHA256=A4CFD010F2557CEFF643A89E8A6102E58A0380C14A6DBE6C23C372BF10E4C466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.885{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFMD5=DEB3EA3582187AC09FB17F4BFCDD1B29,SHA256=24B1DC69E5098CA0208FE82F3933595AA54D7B606E7F1313B4DDD8783C1C093F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.870{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\disk.PNFMD5=20030ACEE21A871B3AA9005F2FD441BF,SHA256=97557E28164DEA0AA2F30EE0A3C6C87A16445948CDABFD12814D979CD10EF76F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+2ccc05|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccbcf|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccb55|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000321502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x8000000000000000321501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000321500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.698{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.588{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.557{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.334{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50963-false10.0.1.12-8000- 10341000x8000000000000000321493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.511{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Temp\OfficeSetup.exe+162225|C:\Temp\OfficeSetup.exe+162311|C:\Temp\OfficeSetup.exe+162ac2|C:\Temp\OfficeSetup.exe+13640|C:\Temp\OfficeSetup.exe+1324c|C:\Temp\OfficeSetup.exe+137e5|C:\Temp\OfficeSetup.exe+339a1|C:\Temp\OfficeSetup.exe+27f2a|C:\Temp\OfficeSetup.exe+2a554|C:\Temp\OfficeSetup.exe+2a519|C:\Temp\OfficeSetup.exe+2a5f0 154100x8000000000000000321486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.272{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 baseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 version.16=16.0.15601.20456 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe" 10341000x8000000000000000321485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.271{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.223{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\i640.cabMD5=F1A87BD364E5E9ED021790138E395827,SHA256=44D2EAF5B814526EA283DAAD5333D87170CC71F63AE008BDF03B57CDAA880F13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.753{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.747{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.738{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.696{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.690{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.688{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.685{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.683{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.682{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.349{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.164{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.155{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x8000000000000000447387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.148{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x8000000000000000447386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CECBF777CAC87D775C0CC0775A4ABA,SHA256=176F6AC5695E7110B28DBDA3716D482F6790743749EF49994DB1E2CD4C03B505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s640CheckReachableFE4A2A8C-B82B-47E3-9D92-8C10965DA207MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.970{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\s641033.cabMD5=78438A5023EDFD496D311B2352D9A8D5,SHA256=9B4DB69F1588766EBA3DD44CD34F40A92B31FD42772FB640FED34214F9C54EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.830{72106695-9B85-63D3-1700-00000000BD02}12241448C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.658{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.611{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s641033CheckReachableDBF76697-148E-4FB8-A8B3-8ADAE12C4D88MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d 23542300x8000000000000000321559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.587{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x8000000000000000321551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.542{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.538{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.531{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB80BC9A3DCCD43A6608C763FCAEAA6,SHA256=72B9E04BEB588EF1CFEA03D61BABF2A959E4E3B75C79B7D4497EE5868381E2B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000321545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.301{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe2023-01-27 11:22:43.301 11241100x8000000000000000321544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.295{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe2023-01-27 11:22:43.295 10341000x8000000000000000321543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.113{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.112{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.105{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.073{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000321528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.030{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000321527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Security\SecurityBinary Data 13241300x8000000000000000321526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\FailureActionsBinary Data 13241300x8000000000000000321525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Description‪Manages resource coordination, background streaming, and system integration of Microsoft Office products and their related updates. This service is required to run during the use of any Microsoft Office program, during initial streaming installation and all subsequent updates.‬ 13241300x8000000000000000321524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ObjectNameLocalSystem 13241300x8000000000000000321523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\DisplayNameMicrosoft Office Click-to-Run Service 13241300x8000000000000000321522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ImagePath"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service 13241300x8000000000000000321521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ErrorControlDWORD (0x00000001) 13241300x8000000000000000321520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\StartDWORD (0x00000002) 13241300x8000000000000000321519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\TypeDWORD (0x00000010) 23542300x8000000000000000447410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.214{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73351737D444ECB63323C5629CF838A5,SHA256=0FE9D09991A199906FD3F71B1651FD9B8ED53778975137CF8F04F2BD864C790B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.208{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54704- 354300x8000000000000000447413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.794{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000447412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.427{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61197- 23542300x8000000000000000447411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.292{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDC74D24C668FE4D5DAC34FAD45E5D9,SHA256=4F7939D05484817CE94F5A74A830153A42ECC0B4358D8A8869BB108CCC6CE034,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000321599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.830{72106695-9B85-63D3-1400-00000000BD02}1032f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Windows\System32\svchost.exe 22542200x8000000000000000321598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.766{72106695-B403-63D3-B103-00000000BD02}6092f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000321596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.694{72106695-B403-63D3-B103-00000000BD02}6092ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000321594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.219{72106695-B402-63D3-B003-00000000BD02}3780ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x8000000000000000321593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B3E31E15B37AC4D87868976E1137A,SHA256=4120E77B9026A483CC8CE1B1DEFEC66F9895D7590C1DAF93FA951ACEE6CAFE8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.226{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50966-false52.113.194.132-443https 10341000x8000000000000000321590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.224{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50965-false52.109.13.64-443https 10341000x8000000000000000321587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.067{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50964-false52.109.4.32-443https 23542300x8000000000000000321584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6D861F46A792E7004F2F0E59BD6B9B97,SHA256=38827ED65DCA9CB9D326BFDE3EF3DA44CE958BEBDA209B65D0906386856A2A84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.247{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\s640.cabMD5=42E186BC65953299C519806BD975C487,SHA256=54D3C789E3B1D6895623F7D5EB331F6655833E95F4D5B7BDB6DB15CA20913253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.048{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.988{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.392{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C661814CD84CE14F77F968C32159C9,SHA256=05A68394463A134F47F457E74216C0EE6F4622380C818975AE9963AB2C814591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.846{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000321618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeBinary Data 10341000x8000000000000000321617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B106-63D3-2B03-00000000BD02}9644716C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+e308e|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.836{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50971-false204.79.197.223-80http 354300x8000000000000000321612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50970-false204.79.197.223-80http 10341000x8000000000000000321611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50969-false52.113.194.132-443https 10341000x8000000000000000321608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50968-false52.109.13.64-443https 10341000x8000000000000000321605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000321603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50967-false52.109.4.32-443https 10341000x8000000000000000321602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.217{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC2EBEACB7E63CFF92B2BD6FE0AE66,SHA256=25AA34A6CFD92C814631D8499C98D04CAAB0A5676DD9A3CE0185D706B073442C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000447438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.100{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55535- 10341000x8000000000000000447437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.514{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.481{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BE29BAE8C31ACD8082EED34BBBA97F,SHA256=03C137378632EB612A9AD2FFF5D6EA31F3DACFC9664B1180D0E94024AB1E855C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CERTINTL.DLL2023-01-27 11:22:46.984 11241100x8000000000000000321717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BHOINTL.DLL2023-01-27 11:22:46.984 11241100x8000000000000000321716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BCSRuntimeRes.dll2023-01-27 11:22:46.981 11241100x8000000000000000321715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACWIZRC.DLL2023-01-27 11:22:46.981 11241100x8000000000000000321714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCOLKI.DLL2023-01-27 11:22:46.981 11241100x8000000000000000321713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL2023-01-27 11:22:46.980 11241100x8000000000000000321712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.936{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.936 11241100x8000000000000000321711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.874{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140.dll2023-01-27 11:22:46.871 11241100x8000000000000000321710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib140.dll2023-01-27 11:22:46.870 11241100x8000000000000000321709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.869{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.869 10341000x8000000000000000321708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.857{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 11241100x8000000000000000321705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.842{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCRTBASE.DLL2023-01-27 11:22:46.841 11241100x8000000000000000321704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840 11241100x8000000000000000321703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840 11241100x8000000000000000321702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\C2R64.dll2023-01-27 11:22:46.839 11241100x8000000000000000321701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.837 11241100x8000000000000000321700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppvIsvSubsystems64.dll2023-01-27 11:22:46.837 11241100x8000000000000000321699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.836 11241100x8000000000000000321698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:46.834 11241100x8000000000000000321697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.832{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:46.832 11241100x8000000000000000321696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.826{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PerfBoost.exe2023-01-27 11:22:46.826 11241100x8000000000000000321695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.825{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp140.dll2023-01-27 11:22:46.825 11241100x8000000000000000321694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.822{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:46.821 11241100x8000000000000000321693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.821{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:46.819 11241100x8000000000000000321692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.818{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\concrt140.dll2023-01-27 11:22:46.818 11241100x8000000000000000321691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.817{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:46.817 11241100x8000000000000000321690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.816{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:46.816 11241100x8000000000000000321689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:46.814 11241100x8000000000000000321688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:46.812 11241100x8000000000000000321687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:46.808 11241100x8000000000000000321686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:46.804 11241100x8000000000000000321683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.805{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:46.802 11241100x8000000000000000321682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:46.798 11241100x8000000000000000321681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:46.798 11241100x8000000000000000321680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:46.797 11241100x8000000000000000321679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:46.796 11241100x8000000000000000321678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:46.794 11241100x8000000000000000321677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:46.794 11241100x8000000000000000321676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.793{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:46.790 11241100x8000000000000000321675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:46.775 11241100x8000000000000000321674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.761{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:46.761 10341000x8000000000000000321673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.618{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.591{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.590{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.589{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.564{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.535{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.528{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.x-noneCheckReachableF182A2F5-A996-40D4-8BC2-05DAE1A41CEEMD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78 23542300x8000000000000000321659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.514{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.496{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.473{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.472{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.445{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.441{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000321649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.426{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.360{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.353{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6CF53BF62162EA6393D4E3519B088C,SHA256=F2E077849722F6E998A4BC7E365FBE3F43F494FD60C39D2F06051EDBD225EB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.334{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.330{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x8000000000000000321644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.en-usCheckReachable246A6C06-B9D3-425B-8436-4EC6C85B9AC8MD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78 23542300x8000000000000000321643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.317{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000321642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.305{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF25277277A604CA09DB8A95802A96A,SHA256=579974F01D034177F15A986F7C20ED68291F0D9EB3D684EF2DC7FD05BF081FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.300{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000321638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.271{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.267{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000321636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x8000000000000000321633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.235{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.149{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C8875B158745A54AE8A966AA8C66F2E1,SHA256=B30D38FECCF18ED578A83787A1EE5643952C58EF69F4335B74D1B7A7074C3A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 354300x8000000000000000447424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.074{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58959- 23542300x8000000000000000321632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.172{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29D669D106A5C4ED725D85834094DC71,SHA256=1B04D120EA6CAB2F04F33C158B07386F5C77EE060C482D7C2B0C59E247373DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.566{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720D7C875A2CC47EEAFDCCFE8D26A91A,SHA256=169326E5A351D0C925612F840E1FB75DE76D7F0ABB02E6C9B0D414B9175D97DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe2023-01-27 11:22:47.991 11241100x8000000000000000321780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe2023-01-27 11:22:47.976 11241100x8000000000000000321779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe2023-01-27 11:22:47.976 11241100x8000000000000000321778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe2023-01-27 11:22:47.944 11241100x8000000000000000321777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe2023-01-27 11:22:47.944 11241100x8000000000000000321776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ocapires.dll2023-01-27 11:22:47.944 11241100x8000000000000000321775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotelemetryintl.dll2023-01-27 11:22:47.929 11241100x8000000000000000321774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotdintl.dll2023-01-27 11:22:47.929 11241100x8000000000000000321773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\lyncDesktopResources.dll2023-01-27 11:22:47.929 11241100x8000000000000000321772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLSLICER.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLLEX.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLINTL32.DLL2023-01-27 11:22:47.929 11241100x8000000000000000321769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe2023-01-27 11:22:47.929 11241100x8000000000000000321768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.913{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:47.913 11241100x8000000000000000321767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WWINTL.DLL2023-01-27 11:22:47.898 11241100x8000000000000000321766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe2023-01-27 11:22:47.898 11241100x8000000000000000321765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:47.898 11241100x8000000000000000321764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe2023-01-27 11:22:47.898 11241100x8000000000000000321763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe2023-01-27 11:22:47.898 11241100x8000000000000000321762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe2023-01-27 11:22:47.898 11241100x8000000000000000321761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UmOutlookStrings.dll2023-01-27 11:22:47.898 11241100x8000000000000000321760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UccApiRes.dll2023-01-27 11:22:47.882 11241100x8000000000000000321759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UcAddinRes.dll2023-01-27 11:22:47.882 11241100x8000000000000000321758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe2023-01-27 11:22:47.882 11241100x8000000000000000321757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.866 11241100x8000000000000000321756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLISTI.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SOCIALCONNECTORRES.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SLINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QRYINT32.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBWZINT.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUB6INTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTOCOLHANDLERINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PPINTL.DLL2023-01-27 11:22:47.866 11241100x8000000000000000321748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcPubRes.dll2023-01-27 11:22:47.866 11241100x8000000000000000321747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcHelperResource.dll2023-01-27 11:22:47.851 11241100x8000000000000000321746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLWVW.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLLIBR.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCINTL.DLL2023-01-27 11:22:47.851 11241100x8000000000000000321743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.835 354300x8000000000000000321742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.741{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50974-false204.79.197.223-80http 354300x8000000000000000321741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.718{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50973-false52.109.13.64-443https 23542300x8000000000000000321740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.609{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122a.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000321739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.504{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50972-false10.0.1.12-8000- 23542300x8000000000000000321738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.404{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9E70D3961748F4ABB6CF9F2DBC30DE,SHA256=2CC81AEBF3490DC0903B8DD70600B167A5830AC761A4F9BF9721394130ED9F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.401{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D22061A5E61CA2DE1B9723E6A23EFB,SHA256=4A578A22EC702A064CC2DC4CFD195CAD2ECFD99A43143C3605381B6E22B3DA0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000321736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000321734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0) 10341000x8000000000000000447451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.207{45AAC21C-B407-63D3-BE03-00000000BC02}42482108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x8000000000000000447447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB704D141CB890F4A1BD1C28A3466F6,SHA256=D789AD4DFA5DE5ED5D562BBC49448FD84B13BB346B15191764A1DFEE1D3BE121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.013{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000321733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMSINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMICAUTINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSSRINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSAIN.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MOR6INT.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPIR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\IFDPINTL.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRLEX.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRINTL32.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EntityPickerIntl.dll2023-01-27 11:22:47.056 11241100x8000000000000000321721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXPTOOWS.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ENVELOPR.DLL2023-01-27 11:22:47.056 11241100x8000000000000000321719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CLVWINTL.DLL2023-01-27 11:22:46.994 23542300x8000000000000000447454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.759{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C42F23D3B6DDF63EF2DF6D579B755B,SHA256=A077CC3456C45EC9BBEBADBB9404B68A069C3ACC0FFCB8751316E58AEF023DEA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.PasswordManager.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20ENU.DLL2023-01-27 11:22:48.955 11241100x8000000000000000321957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelServices.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelAddin.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.Diagram.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ClientConfiguration.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dll2023-01-27 11:22:48.955 11241100x8000000000000000321950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\NATIVESHIM.RESOURCES.DLL2023-01-27 11:22:48.955 11241100x8000000000000000321949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OcHelperResource.dll2023-01-27 11:22:48.940 11241100x8000000000000000321946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:48.940 11241100x8000000000000000321944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.924{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll2023-01-27 11:22:48.924 11241100x8000000000000000321943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.902{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\BHOINTL.DLL2023-01-27 11:22:48.901 11241100x8000000000000000321942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll2023-01-27 11:22:48.897 11241100x8000000000000000321941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.896 11241100x8000000000000000321940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.892{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL2023-01-27 11:22:48.892 11241100x8000000000000000321939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.890{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL2023-01-27 11:22:48.890 11241100x8000000000000000321938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.889{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL2023-01-27 11:22:48.888 11241100x8000000000000000321937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL2023-01-27 11:22:48.886 11241100x8000000000000000321936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL2023-01-27 11:22:48.885 11241100x8000000000000000321935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FSTOCK.DLL2023-01-27 11:22:48.873 11241100x8000000000000000321934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL2023-01-27 11:22:48.872 11241100x8000000000000000321933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL2023-01-27 11:22:48.871 11241100x8000000000000000321932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL2023-01-27 11:22:48.871 11241100x8000000000000000321931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.859{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll2023-01-27 11:22:48.859 11241100x8000000000000000321930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.641 11241100x8000000000000000321929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL2023-01-27 11:22:48.641 11241100x8000000000000000321926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\GettingStarted16\SLINTL.DLL2023-01-27 11:22:48.625 11241100x8000000000000000321923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7fr.dll2023-01-27 11:22:48.625 11241100x8000000000000000321922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.621{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7es.dll2023-01-27 11:22:48.621 11241100x8000000000000000321921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.619{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7en.dll2023-01-27 11:22:48.619 11241100x8000000000000000321920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.552{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll2023-01-27 11:22:48.552 11241100x8000000000000000321919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll2023-01-27 11:22:48.548 11241100x8000000000000000321918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.545 11241100x8000000000000000321917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.544 11241100x8000000000000000321916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.542{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.542 11241100x8000000000000000321915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.528{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.528 11241100x8000000000000000321914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.525 11241100x8000000000000000321913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.523 11241100x8000000000000000321912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.520{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.520 11241100x8000000000000000321911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.490 11241100x8000000000000000321910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.489 11241100x8000000000000000321909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.488 11241100x8000000000000000321908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.488{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.487 11241100x8000000000000000321907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.484 11241100x8000000000000000321906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.483 11241100x8000000000000000321905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.483{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.481 11241100x8000000000000000321904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.479 11241100x8000000000000000321903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.477 11241100x8000000000000000321902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.476{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.475 11241100x8000000000000000321901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.475 11241100x8000000000000000321900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.474 11241100x8000000000000000321897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.473 11241100x8000000000000000321894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.469 11241100x8000000000000000321893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.469 11241100x8000000000000000321892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.468 11241100x8000000000000000321891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.463 11241100x8000000000000000321890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.463{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.462 11241100x8000000000000000321889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.462{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.462 11241100x8000000000000000321888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL2023-01-27 11:22:48.461 11241100x8000000000000000321887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140_1.dll2023-01-27 11:22:48.461 11241100x8000000000000000321886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.460 11241100x8000000000000000321885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.460 11241100x8000000000000000321884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.448 23542300x8000000000000000321883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.460{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B755EEA9444801AFD6A2BF8EDBE219E,SHA256=11281C33C54E54B087DCDDDFB9F323DC8CB9B13BCC48C3CB24EF7C9820B178E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.448{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D7ECF0A4A6ABFDF98E09543AB05CC2,SHA256=1A99DD171F1C7D84D6E2593A84CA06398E93B035A1EBC03F9518CE7DF3C4F52F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.433{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dll2023-01-27 11:22:48.433 11241100x8000000000000000321880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll2023-01-27 11:22:48.425 11241100x8000000000000000321879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.414{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.414 11241100x8000000000000000321878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.405 11241100x8000000000000000321877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.402{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.402 11241100x8000000000000000321876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msgfilt.dll2023-01-27 11:22:48.397 11241100x8000000000000000321875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.396 23542300x8000000000000000447453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.038{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F782B410078CBB2F893449A791CA2748,SHA256=26840C0A44E21B4A6A21188788E98ABBDAB5ABA225699BEB813C899AD91FE624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.351 11241100x8000000000000000321873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.350 11241100x8000000000000000321872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.350 11241100x8000000000000000321871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.349{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.348 11241100x8000000000000000321870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.348 11241100x8000000000000000321869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.347 11241100x8000000000000000321868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.347 11241100x8000000000000000321867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.344 11241100x8000000000000000321864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.343 11241100x8000000000000000321861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.341 11241100x8000000000000000321860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.341 11241100x8000000000000000321859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.340 11241100x8000000000000000321855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.339 11241100x8000000000000000321854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.339{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.336 11241100x8000000000000000321853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.336{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.335 11241100x8000000000000000321852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.335{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.335 11241100x8000000000000000321851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OWSSUPP.DLL2023-01-27 11:22:48.333 11241100x8000000000000000321850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFPROXY.DLL2023-01-27 11:22:48.319 11241100x8000000000000000321849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NPSPWRAP.DLL2023-01-27 11:22:48.319 11241100x8000000000000000321848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSB.DLL2023-01-27 11:22:48.314 11241100x8000000000000000321847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEV.DLL2023-01-27 11:22:48.314 11241100x8000000000000000321846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\JitV.dll2023-01-27 11:22:48.310 11241100x8000000000000000321845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Interceptor.dll2023-01-27 11:22:48.306 11241100x8000000000000000321844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.300{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Integrator.exe2023-01-27 11:22:48.300 11241100x8000000000000000321843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140_1.dll2023-01-27 11:22:48.241 11241100x8000000000000000321842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140.dll2023-01-27 11:22:48.240 11241100x8000000000000000321841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vccorlib140.dll2023-01-27 11:22:48.239 11241100x8000000000000000321840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8FR.DLL2023-01-27 11:22:48.221 11241100x8000000000000000321839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\ucrtbase.dll2023-01-27 11:22:48.221 11241100x8000000000000000321838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8ES.DLL2023-01-27 11:22:48.221 11241100x8000000000000000321837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8EN.DLL2023-01-27 11:22:48.205 11241100x8000000000000000321836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7FR.DLL2023-01-27 11:22:48.205 11241100x8000000000000000321835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcr120.dll2023-01-27 11:22:48.205 11241100x8000000000000000321834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7ES.DLL2023-01-27 11:22:48.190 11241100x8000000000000000321833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7EN.DLL2023-01-27 11:22:48.190 11241100x8000000000000000321832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp140.dll2023-01-27 11:22:48.190 11241100x8000000000000000321831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000C.dll2023-01-27 11:22:48.190 11241100x8000000000000000321830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp120.dll2023-01-27 11:22:48.190 23542300x8000000000000000321829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=7E28CA982D0207B8FBACBA001B55DE3C,SHA256=1CC6E4C1EC4D3CB5FF85FEB14B9152A664ACB79D66411D836B9C59D8DF313BAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000A.dll2023-01-27 11:22:48.174 11241100x8000000000000000321827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS0009.dll2023-01-27 11:22:48.174 11241100x8000000000000000321826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSYUBIN7.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\SOLVER\SOLVER32.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000C.DLL2023-01-27 11:22:48.174 11241100x8000000000000000321823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000A.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA0009.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\TRANSMRR.DLL2023-01-27 11:22:48.158 23542300x8000000000000000321820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=B804CA082B6CD88A825A46051584F06F,SHA256=3DDC33F6EF2963407F26C11F5248D84545BF9082CE5E64AB8668A709813A0460,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\LOCALDV.DLL2023-01-27 11:22:48.158 11241100x8000000000000000321818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\wxpr.dll2023-01-27 11:22:48.158 11241100x8000000000000000321817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\mfc140u.dll2023-01-27 11:22:48.143 23542300x8000000000000000321816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000321815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\C2R64.dll2023-01-27 11:22:48.089 11241100x8000000000000000321814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppvIsvSubsystems64.dll2023-01-27 11:22:48.088 11241100x8000000000000000321813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\concrt140.dll2023-01-27 11:22:48.084 11241100x8000000000000000321812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.084{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVLP.exe2023-01-27 11:22:48.084 11241100x8000000000000000321811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.082{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate64.exe2023-01-27 11:22:48.081 11241100x8000000000000000321810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate32.exe2023-01-27 11:22:48.081 11241100x8000000000000000321809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate.exe2023-01-27 11:22:48.079 11241100x8000000000000000321808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.078{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.077 11241100x8000000000000000321805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.076 11241100x8000000000000000321804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.076 11241100x8000000000000000321803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.075 11241100x8000000000000000321802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.071{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.069 11241100x8000000000000000321801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.069 11241100x8000000000000000321800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.068 11241100x8000000000000000321799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.068 11241100x8000000000000000321798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.067 11241100x8000000000000000321795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.066 11241100x8000000000000000321792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.064 11241100x8000000000000000321791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.064 11241100x8000000000000000321790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.063 11241100x8000000000000000321789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.062 11241100x8000000000000000321786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe2023-01-27 11:22:48.061 11241100x8000000000000000321785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe2023-01-27 11:22:48.023 11241100x8000000000000000321784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.007{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe2023-01-27 11:22:48.007 11241100x8000000000000000321783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe2023-01-27 11:22:47.991 11241100x8000000000000000321782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe2023-01-27 11:22:47.991 10341000x8000000000000000447474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.869{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.852{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D000F6EAC4AA557EE845601C284DEE9,SHA256=E7682D395B04FEC5FC79C85F32FBAB170611AA81510C9632B7BC17E8D9FE2804,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.966{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLMACRO.CHM2023-01-27 11:22:49.966 11241100x8000000000000000322009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.950{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WordNaiveBayesCommandRanker.txt2023-01-27 11:22:49.950 11241100x8000000000000000322008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPackEula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2021Eula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2019Eula.txt2023-01-27 11:22:49.857 11241100x8000000000000000322005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLIST.CHM2023-01-27 11:22:49.760 11241100x8000000000000000322004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\smb_eula.txt2023-01-27 11:22:49.760 11241100x8000000000000000322003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt2023-01-27 11:22:49.758 11241100x8000000000000000322002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.758{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2021_eula.txt2023-01-27 11:22:49.745 11241100x8000000000000000322001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt2023-01-27 11:22:49.745 11241100x8000000000000000322000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2021_eula.txt2023-01-27 11:22:49.745 23542300x8000000000000000321999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.508{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD92912EAC32CC737E88DD12F70CFC0B,SHA256=222EFDB63236ED6CBB235A6813899324070275BBA4D9D36A8BAB85E4E7035499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000321998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.505{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627C46EB5C44F5988F91CF07C081B10C,SHA256=F91238F386D666B990367D63E7C41EF041D3BCB974B6B7AA314C1C783BF86FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.399{45AAC21C-B409-63D3-BF03-00000000BC02}26246052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x8000000000000000447455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 11241100x8000000000000000321997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.XLS2023-01-27 11:22:49.347 11241100x8000000000000000321996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.XLS2023-01-27 11:22:49.346 11241100x8000000000000000321995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.PPT2023-01-27 11:22:49.346 11241100x8000000000000000321994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.346{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.PPT2023-01-27 11:22:49.346 11241100x8000000000000000321993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt2023-01-27 11:22:49.339 11241100x8000000000000000321992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookTaskNaiveBayesCommandRanker.txt2023-01-27 11:22:49.332 11241100x8000000000000000321991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.331{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookNaiveBayesCommandRanker.txt2023-01-27 11:22:49.331 11241100x8000000000000000321990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqSendNaiveBayesCommandRanker.txt2023-01-27 11:22:49.329 11241100x8000000000000000321989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.328 11241100x8000000000000000321988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.327{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.327 11241100x8000000000000000321987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.325{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailNaiveBayesCommandRanker.txt2023-01-27 11:22:49.325 11241100x8000000000000000321986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.323{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookApptNaiveBayesCommandRanker.txt2023-01-27 11:22:49.322 11241100x8000000000000000321985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.222{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookAddrNaiveBayesCommandRanker.txt2023-01-27 11:22:49.222 11241100x8000000000000000321984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.199{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCHART.CHM2023-01-27 11:22:49.199 11241100x8000000000000000321983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.188{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSQRY32.CHM2023-01-27 11:22:49.187 11241100x8000000000000000321982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncBasic_Eula.txt2023-01-27 11:22:49.111 11241100x8000000000000000321981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncVDI_Eula.txt2023-01-27 11:22:49.107 11241100x8000000000000000321980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt2023-01-27 11:22:49.091 11241100x8000000000000000321979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_M365_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientPreview_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\client_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2021_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2019_eula.txt2023-01-27 11:22:49.064 11241100x8000000000000000321962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2019_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000321961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000321960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2021_eula.txt2023-01-27 11:22:49.049 11241100x8000000000000000322015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-27 11:22:50.677 11241100x8000000000000000322014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-27 11:22:50.677 11241100x8000000000000000322013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe2023-01-27 11:22:50.677 23542300x8000000000000000322012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.612{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-101MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.550{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9218CD53C9C2F450ABF6FE704510168,SHA256=8797C9F8ADC1A59F2609BC7B6675B2FF8E5C8A0D7C0E56024644782996E1C50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.672{45AAC21C-B40A-63D3-C103-00000000BC02}45524624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.470{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000447478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.111{45AAC21C-B409-63D3-C003-00000000BC02}17081336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x8000000000000000447475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 11241100x8000000000000000322020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAMPLES\SOLVSAMP.XLS2023-01-27 11:22:51.770 11241100x8000000000000000322019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:51.744{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Addons\OneDriveSetup.exe2023-01-27 11:22:51.744 23542300x8000000000000000322018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.606{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F47179D9CC89D09602AAFB328AAD3E,SHA256=BAD9186FF768F7C68AB034250E7D70736FC2EF7E3E5BD37EBAF56E7726E0829D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000447497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000447490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.643{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000447489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.740{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000447488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A5201FA07A1EB90EFD788FA6F8A6A7,SHA256=8CD9FFB9DD6515942174F2420FA9EA10975326C0AFFF988E0780B6A508DDD31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.269{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ACCOLK.DLL2023-01-27 11:22:52.849 11241100x8000000000000000322024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACEDAO.DLL2023-01-27 11:22:52.849 11241100x8000000000000000322023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.628{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ.DLL2023-01-27 11:22:52.627 11241100x8000000000000000322022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:52.624{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCICONS.EXE2023-01-27 11:22:52.624 23542300x8000000000000000322021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.592{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21185B957A735BBEFE486683E5E7BB7,SHA256=9B7E2684862CE4C3A62EE88E341C59585A580DD27DD26804D8A369085B275463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8780856D97B81386002FD772C6228A0,SHA256=791D1F7173A9384C31D8D9532174F972DD4474EC5903A51A6A66B226C7B65126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000447498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.139{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC610E28001EB0A3857B4DFA17ACD3,SHA256=B35A6F792157DB7455D8522138F406FDFD877A98B0591750057EA76AD86251FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45EA5913BFEF55D14BED3A570CF4831,SHA256=8E06897D193ECD6264B7C0B2B38DC100F310F827168040E763CA7D25920286F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll2023-01-27 11:22:53.828 11241100x8000000000000000322058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll2023-01-27 11:22:53.827 11241100x8000000000000000322057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll2023-01-27 11:22:53.814 11241100x8000000000000000322056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll2023-01-27 11:22:53.814 11241100x8000000000000000322055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2023-01-27 11:22:53.569 10341000x8000000000000000322054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.518{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.341{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099331F536251554CD577D42BC294B2F,SHA256=7DB420DFEA69F90415558806B7B00274B7577F32B480122E5C0ED331847F3EB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.569{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll2023-01-27 11:22:53.569 11241100x8000000000000000322045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll2023-01-27 11:22:53.568 11241100x8000000000000000322044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll2023-01-27 11:22:53.360 23542300x8000000000000000322043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.531{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=0437BF4F0955874D4DA79AEA907BD746,SHA256=D9B05893A250C8D607753978E5F86B250C05D8D74F7AA1117F1D0EF167CC62E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.331{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50975-false10.0.1.12-8000- 10341000x8000000000000000322041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.492{72106695-9B85-63D3-1700-00000000BD02}12242536C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll2023-01-27 11:22:53.359 11241100x8000000000000000322039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.Json.dll2023-01-27 11:22:53.359 11241100x8000000000000000322038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.EventFlags.dll2023-01-27 11:22:53.358 11241100x8000000000000000322037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll2023-01-27 11:22:53.358 11241100x8000000000000000322036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Extensions.Logging.Abstractions.dll2023-01-27 11:22:53.358 11241100x8000000000000000322035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Workbook.dll2023-01-27 11:22:53.357 11241100x8000000000000000322034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Views.dll2023-01-27 11:22:53.357 11241100x8000000000000000322033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.UWP.dll2023-01-27 11:22:53.357 11241100x8000000000000000322032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.StreamerUI.dll2023-01-27 11:22:53.356 11241100x8000000000000000322031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Service.dll2023-01-27 11:22:53.354 11241100x8000000000000000322030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Serial.dll2023-01-27 11:22:53.354 11241100x8000000000000000322029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Manifest.dll2023-01-27 11:22:53.352 11241100x8000000000000000322028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.352{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll2023-01-27 11:22:53.352 11241100x8000000000000000322027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.101{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Core.dll2023-01-27 11:22:53.101 11241100x8000000000000000322026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ColleagueImport.dll2023-01-27 11:22:52.849 10341000x8000000000000000322130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.724{72106695-B40E-63D3-B403-00000000BD02}7406112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll2023-01-27 11:22:54.708 11241100x8000000000000000322128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll2023-01-27 11:22:54.708 11241100x8000000000000000322127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.ProgramSynthesis.dll2023-01-27 11:22:54.708 11241100x8000000000000000322126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll2023-01-27 11:22:54.708 11241100x8000000000000000322125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll2023-01-27 11:22:54.708 11241100x8000000000000000322124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.Library45.dll2023-01-27 11:22:54.708 11241100x8000000000000000322123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.dll2023-01-27 11:22:54.708 11241100x8000000000000000322122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.Shared.dll2023-01-27 11:22:54.708 11241100x8000000000000000322121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.EdgeChromium.dll2023-01-27 11:22:54.708 11241100x8000000000000000322120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll2023-01-27 11:22:54.609 23542300x8000000000000000447501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:54.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3856807CDE20AC3DAC7618F4A9A35BF8,SHA256=99ADE4A565276E573C740B41E119B4EE176CC1117B7B357316C9F9F90435405D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll2023-01-27 11:22:54.609 11241100x8000000000000000322118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll2023-01-27 11:22:54.609 11241100x8000000000000000322117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll2023-01-27 11:22:54.608 11241100x8000000000000000322116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll2023-01-27 11:22:54.608 11241100x8000000000000000322115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe2023-01-27 11:22:54.608 11241100x8000000000000000322114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll2023-01-27 11:22:54.607 11241100x8000000000000000322113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll2023-01-27 11:22:54.607 11241100x8000000000000000322112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll2023-01-27 11:22:54.607 11241100x8000000000000000322111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll2023-01-27 11:22:54.607 11241100x8000000000000000322110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll2023-01-27 11:22:54.606 11241100x8000000000000000322109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.606{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll2023-01-27 11:22:54.605 11241100x8000000000000000322108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.604{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe2023-01-27 11:22:54.604 11241100x8000000000000000322107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe2023-01-27 11:22:54.601 11241100x8000000000000000322106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe2023-01-27 11:22:54.600 23542300x8000000000000000322105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.568{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604BCF9BD2FD101C1B69B261791092F4,SHA256=9246B38D41CE27EB5BFE93E9FBE449BA599C31F6896F8CA192FA55A46971B0B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50977-false72.21.91.29-80http 354300x8000000000000000322103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50976-false51.104.15.253-443https 10341000x8000000000000000322102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.518{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.358{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM2023-01-27 11:22:54.309 11241100x8000000000000000322093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM2023-01-27 11:22:54.309 11241100x8000000000000000322092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM2023-01-27 11:22:54.308 11241100x8000000000000000322091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM2023-01-27 11:22:54.307 11241100x8000000000000000322087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.306{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM2023-01-27 11:22:54.305 11241100x8000000000000000322086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.290{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM2023-01-27 11:22:54.290 11241100x8000000000000000322085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM2023-01-27 11:22:54.287 11241100x8000000000000000322084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM2023-01-27 11:22:54.286 11241100x8000000000000000322083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM2023-01-27 11:22:54.285 11241100x8000000000000000322082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll2023-01-27 11:22:54.275 11241100x8000000000000000322081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll2023-01-27 11:22:54.275 11241100x8000000000000000322080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.274{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll2023-01-27 11:22:54.272 11241100x8000000000000000322079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL2023-01-27 11:22:54.273 11241100x8000000000000000322078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.268{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll2023-01-27 11:22:54.267 11241100x8000000000000000322077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.267{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.Extension.dll2023-01-27 11:22:54.265 23542300x8000000000000000322076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.194{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=9401611DCE9F0B7D4453FA874B37FF66,SHA256=9168922BF719C301820EBC7A41E2397B302203595F42AF285AEA52B6F1148BFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll2023-01-27 11:22:54.112 11241100x8000000000000000322074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll2023-01-27 11:22:54.112 11241100x8000000000000000322073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll2023-01-27 11:22:54.112 11241100x8000000000000000322072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll2023-01-27 11:22:54.112 10341000x8000000000000000322071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.081{72106695-B40D-63D3-B303-00000000BD02}58723960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll2023-01-27 11:22:54.047 11241100x8000000000000000322069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll2023-01-27 11:22:54.047 11241100x8000000000000000322068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll2023-01-27 11:22:54.047 11241100x8000000000000000322067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll2023-01-27 11:22:54.047 11241100x8000000000000000322066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll2023-01-27 11:22:54.047 11241100x8000000000000000322065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\OTelCS.dll2023-01-27 11:22:54.047 11241100x8000000000000000322064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyClustering.dll2023-01-27 11:22:54.047 11241100x8000000000000000322063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll2023-01-27 11:22:54.047 11241100x8000000000000000322062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll2023-01-27 11:22:54.047 11241100x8000000000000000322061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll2023-01-27 11:22:53.814 23542300x8000000000000000447503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:55.629{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80C8C36CA3960B65C5A732C8B890561,SHA256=30C937AD71FE18CFD9E1682F4FDB698BB49B10195EACD05BA79B13CD290B0812,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.976 11241100x8000000000000000322212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.975 11241100x8000000000000000322211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.975 11241100x8000000000000000322210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.975 11241100x8000000000000000322209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.974 11241100x8000000000000000322208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.974 11241100x8000000000000000322207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.971 11241100x8000000000000000322206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.972{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:55.972 11241100x8000000000000000322205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll2023-01-27 11:22:55.971 11241100x8000000000000000322204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.967 11241100x8000000000000000322203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.967{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:55.965 11241100x8000000000000000322202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.dll2023-01-27 11:22:55.965 11241100x8000000000000000322201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll2023-01-27 11:22:55.965 11241100x8000000000000000322200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:55.965 11241100x8000000000000000322199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Interop.MSDASC.dll2023-01-27 11:22:55.964 11241100x8000000000000000322198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:55.963 11241100x8000000000000000322197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:55.963 11241100x8000000000000000322196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:55.962 11241100x8000000000000000322195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:55.962 11241100x8000000000000000322194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:55.961 11241100x8000000000000000322193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:55.947 11241100x8000000000000000322192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:55.947 11241100x8000000000000000322191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.947{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:55.946 11241100x8000000000000000322190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.946{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:55.946 11241100x8000000000000000322189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.945{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:55.944 11241100x8000000000000000322188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:55.944 11241100x8000000000000000322187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:55.942 11241100x8000000000000000322186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:55.942 11241100x8000000000000000322185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL2023-01-27 11:22:55.942 11241100x8000000000000000322184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:55.941 11241100x8000000000000000322183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:55.899 11241100x8000000000000000322182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.899{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.898 11241100x8000000000000000322181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:55.728 11241100x8000000000000000322180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:55.728 11241100x8000000000000000322179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:55.729 11241100x8000000000000000322178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:55.728 11241100x8000000000000000322177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:55.728 11241100x8000000000000000322176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.728 11241100x8000000000000000322175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.727{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:55.727 11241100x8000000000000000322174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.726 11241100x8000000000000000322173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.725 11241100x8000000000000000322172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.725 11241100x8000000000000000322171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.700 11241100x8000000000000000322170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.725 23542300x8000000000000000322169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.723{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC38EF57F17CF4EE69B45A166544D09,SHA256=90EB04E7AD372EF02D05C461CF196162E586957B2E3870B2168B075E94E70658,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.699 11241100x8000000000000000322167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL2023-01-27 11:22:55.699 11241100x8000000000000000322164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL2023-01-27 11:22:55.698 11241100x8000000000000000322163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL2023-01-27 11:22:55.698 11241100x8000000000000000322162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.698{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll2023-01-27 11:22:55.698 11241100x8000000000000000322161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTLVBA.DLL2023-01-27 11:22:55.697 11241100x8000000000000000322160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.696{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL2023-01-27 11:22:55.696 11241100x8000000000000000322157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL2023-01-27 11:22:55.695 11241100x8000000000000000322156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL2023-01-27 11:22:55.423 11241100x8000000000000000322155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL2023-01-27 11:22:55.423 11241100x8000000000000000322154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL2023-01-27 11:22:55.422 11241100x8000000000000000322153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll2023-01-27 11:22:55.422 11241100x8000000000000000322152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.WinForms.dll2023-01-27 11:22:55.421 11241100x8000000000000000322151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Collections.Immutable.dll2023-01-27 11:22:55.421 11241100x8000000000000000322150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll2023-01-27 11:22:55.160 10341000x8000000000000000322149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.235{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.074{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dll2023-01-27 11:22:55.158 11241100x8000000000000000322140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll2023-01-27 11:22:55.157 11241100x8000000000000000322139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\WebView2Loader.dll2023-01-27 11:22:55.157 11241100x8000000000000000322138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Newtonsoft.Json.dll2023-01-27 11:22:55.156 11241100x8000000000000000322137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll2023-01-27 11:22:55.156 11241100x8000000000000000322136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll2023-01-27 11:22:55.155 11241100x8000000000000000322135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll2023-01-27 11:22:55.155 11241100x8000000000000000322134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.Core.dll2023-01-27 11:22:55.154 11241100x8000000000000000322133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll2023-01-27 11:22:55.154 11241100x8000000000000000322132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll2023-01-27 11:22:55.154 11241100x8000000000000000322131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll2023-01-27 11:22:54.708 354300x8000000000000000447502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.986{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49690- 11241100x8000000000000000322317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\msipc.dll2023-01-27 11:22:56.968 11241100x8000000000000000322316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ipcsecproc.dll2023-01-27 11:22:56.968 23542300x8000000000000000322315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A357C9A5E5A047B8024AEBB9C34305,SHA256=0B90388DDC49E2B34A1125A3BAF7EDE49D4363D7783044FEC809417F183CF651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.929{72106695-B410-63D3-B703-00000000BD02}29364468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000447506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:56.725{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D9C1F947F240D9C7CB3E466559E54,SHA256=45A00DCAF6797C37695FC3E99EEB2C4D344231211D4C30D1EEABFEB4E2C6CE50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.699{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSAEXP30.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSBARCODE.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OART.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACCESS.EXE2023-01-27 11:22:56.657 11241100x8000000000000000322301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MORPH9.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBPROXY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MIMEDIR.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPISHELL.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPIPH.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LyncDesktopSmartBitmapResources.dll2023-01-27 11:22:56.657 11241100x8000000000000000322294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IVY.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INTLDATE.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INKCOMMENT.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IGX.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEContentService.exe2023-01-27 11:22:56.657 11241100x8000000000000000322289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEAWSDC.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Httpproxy.DLL2023-01-27 11:22:56.657 11241100x8000000000000000322287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GRAPH.EXE2023-01-27 11:22:56.657 11241100x8000000000000000322286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKWord.dll2023-01-27 11:22:56.365 10341000x8000000000000000322285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.393{72106695-B40F-63D3-B603-00000000BD02}25805288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKPowerPoint.dll2023-01-27 11:22:56.364 11241100x8000000000000000322283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKExcel.dll2023-01-27 11:22:56.364 11241100x8000000000000000322282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GFX.DLL2023-01-27 11:22:56.363 11241100x8000000000000000322281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityDataHandler.dll2023-01-27 11:22:56.362 11241100x8000000000000000322280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityPicker.dll2023-01-27 11:22:56.362 11241100x8000000000000000322279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXSEC32.DLL2023-01-27 11:22:56.362 11241100x8000000000000000322278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXCEL.EXE2023-01-27 11:22:56.360 23542300x8000000000000000322277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E55A51E1209285EE6D2281AB2F0F39,SHA256=66EFA93514B366FC5A38313B0F93D549B4CF70FB560427B8F9768F3E0FA00C62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL2023-01-27 11:22:56.345 11241100x8000000000000000322275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMABLT32.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ENVELOPE.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\TRANSMGR.DLL2023-01-27 11:22:56.314 11241100x8000000000000000322272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mfc140u.dll2023-01-27 11:22:56.314 11241100x8000000000000000322271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DLGSETP.DLL2023-01-27 11:22:56.097 11241100x8000000000000000322270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.096{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGCORE.DLL2023-01-27 11:22:56.096 11241100x8000000000000000322269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.095{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Cpprest141_2_10.DLL2023-01-27 11:22:56.092 10341000x8000000000000000322268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.094{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMSMDB32.DLL2023-01-27 11:22:56.092 11241100x8000000000000000322266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\RM.DLL2023-01-27 11:22:56.091 10341000x8000000000000000322265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.090{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.088{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.899{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGHELP.DLL2023-01-27 11:22:56.063 11241100x8000000000000000322257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CNFNOT32.EXE2023-01-27 11:22:56.050 11241100x8000000000000000322256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CLVIEW.EXE2023-01-27 11:22:56.050 11241100x8000000000000000322255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AutoHelper.dll2023-01-27 11:22:56.050 354300x8000000000000000447505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.238{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54114- 354300x8000000000000000447504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.757{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000322254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONTAB32.DLL2023-01-27 11:22:56.049 11241100x8000000000000000322253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CHART.DLL2023-01-27 11:22:56.049 11241100x8000000000000000322252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BIPLAT.DLL2023-01-27 11:22:56.048 11241100x8000000000000000322251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingHookController64.exe2023-01-27 11:22:56.047 11241100x8000000000000000322250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingChromeHook64.dll2023-01-27 11:22:56.047 11241100x8000000000000000322249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Appshapi.dll2023-01-27 11:22:56.046 11241100x8000000000000000322248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.046{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHSAPIFE.DLL2023-01-27 11:22:56.045 11241100x8000000000000000322247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140_1.dll2023-01-27 11:22:56.045 11241100x8000000000000000322246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHMAIN.DLL2023-01-27 11:22:56.044 11241100x8000000000000000322245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHLTS.DLL2023-01-27 11:22:56.044 11241100x8000000000000000322244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.044{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:56.043 11241100x8000000000000000322243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\OFFICE.dll2023-01-27 11:22:56.043 11241100x8000000000000000322242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:56.043 11241100x8000000000000000322241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\ReportingServicesNativeClient.dll2023-01-27 11:22:56.027 11241100x8000000000000000322240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dll2023-01-27 11:22:56.026 11241100x8000000000000000322239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\UmOutlookAddin.dll2023-01-27 11:22:56.026 11241100x8000000000000000322238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:56.026 11241100x8000000000000000322237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Types.dll2023-01-27 11:22:56.025 11241100x8000000000000000322236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:56.025 11241100x8000000000000000322235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.025{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:56.024 11241100x8000000000000000322234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:56.024 11241100x8000000000000000322233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:56.024 11241100x8000000000000000322232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:56.023 11241100x8000000000000000322231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:56.022 11241100x8000000000000000322230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:56.021 11241100x8000000000000000322229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:56.014 11241100x8000000000000000322228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:56.013 11241100x8000000000000000322227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:56.013 11241100x8000000000000000322226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:56.012 11241100x8000000000000000322225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.012{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:56.012 11241100x8000000000000000322224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:56.011 11241100x8000000000000000322223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.DLL2023-01-27 11:22:56.010 11241100x8000000000000000322222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.Interop.Excel.dll2023-01-27 11:22:56.010 11241100x8000000000000000322221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:56.009 11241100x8000000000000000322220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:56.009 11241100x8000000000000000322219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:56.009 11241100x8000000000000000322218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:56.006 11241100x8000000000000000322217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:56.005 11241100x8000000000000000322216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:56.004 11241100x8000000000000000322215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.002{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:56.001 11241100x8000000000000000322214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.001{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:56.000 23542300x8000000000000000447507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:57.817{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C0DA1ACAA0D9C00BFC1C157154B52,SHA256=4C5A4F50822731EEA98F790C48948F0538AB7AD3E154DDB50D6B8B843C401FC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.769{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBCONV.DLL2023-01-27 11:22:57.769 11241100x8000000000000000322431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PTXT9.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PRTF9.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PSTPRX32.DLL2023-01-27 11:22:57.768 11241100x8000000000000000322428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgrammar8.dll2023-01-27 11:22:57.767 11241100x8000000000000000322427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msspell7.dll2023-01-27 11:22:57.767 11241100x8000000000000000322426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr3jp.dll2023-01-27 11:22:57.766 11241100x8000000000000000322425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPTICO.EXE2023-01-27 11:22:57.767 11241100x8000000000000000322424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPSLAX.DLL2023-01-27 11:22:57.766 11241100x8000000000000000322423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPRESOURCES.DLL2023-01-27 11:22:57.765 11241100x8000000000000000322422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPINTL.COMMON.DLL2023-01-27 11:22:57.765 11241100x8000000000000000322421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPCORE.DLL2023-01-27 11:22:57.764 11241100x8000000000000000322420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\POWERPNT.EXE2023-01-27 11:22:57.501 11241100x8000000000000000322419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PEOPLEDATAHANDLER.DLL2023-01-27 11:22:57.500 11241100x8000000000000000322418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookWebHost.dll2023-01-27 11:22:57.500 11241100x8000000000000000322417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PDFREFLOW.EXE2023-01-27 11:22:57.500 11241100x8000000000000000322416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrSanBroker.exe2023-01-27 11:22:57.499 11241100x8000000000000000322415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrBroker.exe2023-01-27 11:22:57.499 11241100x8000000000000000322414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OsfTaskengine.dll2023-01-27 11:22:57.499 11241100x8000000000000000322413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeJs_Core.DLL2023-01-27 11:22:57.498 11241100x8000000000000000322412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScr.dll2023-01-27 11:22:57.498 11241100x8000000000000000322411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLVBS.DLL2023-01-27 11:22:57.498 11241100x8000000000000000322410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLRPC.DLL2023-01-27 11:22:57.497 11241100x8000000000000000322409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcPubMgr.exe2023-01-27 11:22:57.497 11241100x8000000000000000322408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLPH.DLL2023-01-27 11:22:57.497 11241100x8000000000000000322407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcOffice.dll2023-01-27 11:22:57.496 11241100x8000000000000000322406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.496{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookServicing.DLL2023-01-27 11:22:57.496 11241100x8000000000000000322405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.492{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLMIME.DLL2023-01-27 11:22:57.492 11241100x8000000000000000322404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.EXE2023-01-27 11:22:57.490 11241100x8000000000000000322403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLCTL.DLL2023-01-27 11:22:57.486 11241100x8000000000000000322402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLLIBR.COMMON.DLL2023-01-27 11:22:57.490 11241100x8000000000000000322401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.486{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFUI.DLL2023-01-27 11:22:57.485 11241100x8000000000000000322400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFSHARED.DLL2023-01-27 11:22:57.485 11241100x8000000000000000322399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ORGCHART.EXE2023-01-27 11:22:57.484 11241100x8000000000000000322398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTEM.EXE2023-01-27 11:22:57.483 11241100x8000000000000000322397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:22:57.483 11241100x8000000000000000322396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONWordAddin.dll2023-01-27 11:22:57.483 11241100x8000000000000000322395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSF.DLL2023-01-27 11:22:57.481 11241100x8000000000000000322394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONLNTCOMLIB.DLL2023-01-27 11:22:57.480 11241100x8000000000000000322393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONRES.DLL2023-01-27 11:22:57.478 11241100x8000000000000000322392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONPPTAddin.dll2023-01-27 11:22:57.477 11241100x8000000000000000322391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONFILTER.DLL2023-01-27 11:22:57.477 11241100x8000000000000000322390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIE.dll2023-01-27 11:22:57.476 11241100x8000000000000000322389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnPPT.dll2023-01-27 11:22:57.475 11241100x8000000000000000322388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:22:57.474 11241100x8000000000000000322387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\onmain.DLL2023-01-27 11:22:57.474 11241100x8000000000000000322386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTE.EXE2023-01-27 11:22:57.473 11241100x8000000000000000322385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONECLIENTW32.DLL2023-01-27 11:22:57.473 11241100x8000000000000000322384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnWD.dll2023-01-27 11:22:57.473 11241100x8000000000000000322383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnOL.dll2023-01-27 11:22:57.472 11241100x8000000000000000322382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSXP32.DLL2023-01-27 11:22:57.471 11241100x8000000000000000322381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.470{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSMAIN.DLL2023-01-27 11:22:57.470 11241100x8000000000000000322380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMRAUT.DLL2023-01-27 11:22:57.469 11241100x8000000000000000322379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMICAUT.DLL2023-01-27 11:22:57.469 11241100x8000000000000000322378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLMAPI32.DLL2023-01-27 11:22:57.468 11241100x8000000000000000322377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.466{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLKFSTUB.DLL2023-01-27 11:22:57.465 11241100x8000000000000000322376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLCFG.EXE2023-01-27 11:22:57.464 11241100x8000000000000000322375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OIMG.DLL2023-01-27 11:22:57.459 11241100x8000000000000000322374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.459{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFRHD.DLL2023-01-27 11:22:57.456 11241100x8000000000000000322373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.454{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_WORD.DLL2023-01-27 11:22:57.446 11241100x8000000000000000322372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.453{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll2023-01-27 11:22:57.433 11241100x8000000000000000322371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.446{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_EXCEL.DLL2023-01-27 11:22:57.446 11241100x8000000000000000322370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.432{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.423 11241100x8000000000000000322369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll2023-01-27 11:22:57.424 11241100x8000000000000000322368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.424{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll2023-01-27 11:22:57.424 23542300x8000000000000000322367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.424{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=2AC5F3AFCAB502E1C9D4338AB25A4649,SHA256=31947DE749CA9A6E56EAA58DD40A0E6047A5AD46D2FB23E163054D20AAAA70E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.423 11241100x8000000000000000322365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll2023-01-27 11:22:57.423 11241100x8000000000000000322364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.422 10341000x8000000000000000322363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.422{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.420 10341000x8000000000000000322361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000322357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.419{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll2023-01-27 11:22:57.419 10341000x8000000000000000322356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.418{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.413{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.251{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000322353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.411{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll2023-01-27 11:22:57.410 11241100x8000000000000000322352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.409{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.409 23542300x8000000000000000322351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.408{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=72E1696A3B17613CB1F5C69C5375EC87,SHA256=6ACD247E50A51CA31B689530805F80E52FFEAF4668F46B3ED2E64C44F26CF41C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.398{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.398 11241100x8000000000000000322349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSCLIENTWIN32.DLL2023-01-27 11:22:57.386 11241100x8000000000000000322348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCHelper.dll2023-01-27 11:22:57.372 23542300x8000000000000000322347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.384{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40882DA814495680525F9E84557E65B,SHA256=40CAB07430FFD6A0EAEB055228A230A13DD79C921A64345C1BC5BB73FED76C67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OARTODF.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAME.DLL2023-01-27 11:22:57.128 11241100x8000000000000000322344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Lexicons0011.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Models0011.DLL2023-01-27 11:22:57.129 11241100x8000000000000000322342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLSERVER.EXE2023-01-27 11:22:57.128 11241100x8000000000000000322341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.127{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Data0011.DLL2023-01-27 11:22:57.126 11241100x8000000000000000322340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.126{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MeetingJoinAxOC.dll2023-01-27 11:22:57.125 11241100x8000000000000000322339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:22:57.125 11241100x8000000000000000322338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Office.PolicyTips.dll2023-01-27 11:22:57.120 23542300x8000000000000000322337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.123{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=154FA03BC7C5DE95D2C9A28C56C9E0B3,SHA256=6CB765900C9F8570DCCE9565AF38AEA17ECABEB100FA56AC8A3D82E3CFD3F4CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Ink.Recognition.DLL2023-01-27 11:22:57.119 11241100x8000000000000000322335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSVCP140_APP.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSRTEDIT.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC32.DLL2023-01-27 11:22:57.118 11241100x8000000000000000322332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSQRY32.EXE2023-01-27 11:22:57.116 11241100x8000000000000000322331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.EXE2023-01-27 11:22:57.116 11241100x8000000000000000322330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.115{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPST32.DLL2023-01-27 11:22:57.106 11241100x8000000000000000322329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSVG.DLL2023-01-27 11:22:57.105 11241100x8000000000000000322328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSTYLE.DLL2023-01-27 11:22:57.104 11241100x8000000000000000322327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSREC.EXE2023-01-27 11:22:57.104 11241100x8000000000000000322326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSPECTRE.DLL2023-01-27 11:22:57.103 11241100x8000000000000000322325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEVI.DLL2023-01-27 11:22:57.103 11241100x8000000000000000322324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOCR.DLL2023-01-27 11:22:57.102 11241100x8000000000000000322323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.102{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHTMED.EXE2023-01-27 11:22:57.102 11241100x8000000000000000322322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL2023-01-27 11:22:57.092 11241100x8000000000000000322321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOADFPS.DLL2023-01-27 11:22:57.091 11241100x8000000000000000322320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIANEXT.DLL2023-01-27 11:22:57.090 11241100x8000000000000000322319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.088{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIACAPI.DLL2023-01-27 11:22:57.088 11241100x8000000000000000322318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIA.DLL2023-01-27 11:22:57.081 23542300x8000000000000000447508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:58.915{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96230AA0D4DE6F4D407FDD371AF9E8A1,SHA256=C53CB5A3FD4CE0FCE324CFD5D5620C9DFA946E25CBBD34049981B6D96D3BB814,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:58.989 11241100x8000000000000000322633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:58.988 11241100x8000000000000000322632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:58.988 11241100x8000000000000000322631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:58.987 11241100x8000000000000000322628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLL2023-01-27 11:22:58.986 11241100x8000000000000000322627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL2023-01-27 11:22:58.986 11241100x8000000000000000322626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL2023-01-27 11:22:58.984 11241100x8000000000000000322625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrwbin_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrw_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmtransactions_xl.dll2023-01-27 11:22:58.983 11241100x8000000000000000322622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmpersistence_xl.dll2023-01-27 11:22:58.982 11241100x8000000000000000322621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmcachemgr_xl.dll2023-01-27 11:22:58.981 11241100x8000000000000000322620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmapi_xl.dll2023-01-27 11:22:58.981 11241100x8000000000000000322619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\System.Spatial.dll2023-01-27 11:22:58.880 11241100x8000000000000000322618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msolap_xl.dll2023-01-27 11:22:58.980 11241100x8000000000000000322617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.978{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmgdsrv_xl.dll2023-01-27 11:22:58.977 11241100x8000000000000000322616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmdlocal_xl.dll2023-01-27 11:22:58.973 11241100x8000000000000000322615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\adal.dll2023-01-27 11:22:58.879 11241100x8000000000000000322614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.880 23542300x8000000000000000322613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.911{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79653C2E8052C3FFF7DA31553A581B1,SHA256=08F467A9D7C0423D7A3827E052E6BB5BF176FD63B19F6D75DC04666FA981FC9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.878 11241100x8000000000000000322611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.877 11241100x8000000000000000322610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.877 11241100x8000000000000000322609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Edm.dll2023-01-27 11:22:58.877 11241100x8000000000000000322608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Odata.dll2023-01-27 11:22:58.876 11241100x8000000000000000322607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.876 11241100x8000000000000000322606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.DataFeedClient.dll2023-01-27 11:22:58.874 11241100x8000000000000000322605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.873 11241100x8000000000000000322604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL2023-01-27 11:22:58.873 11241100x8000000000000000322603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.872 11241100x8000000000000000322602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.872 11241100x8000000000000000322601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.787 11241100x8000000000000000322600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmgdsrv_xl.dll2023-01-27 11:22:58.784 11241100x8000000000000000322599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.783 11241100x8000000000000000322598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.781 11241100x8000000000000000322597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.779 11241100x8000000000000000322596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.871 11241100x8000000000000000322595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.785{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.785 11241100x8000000000000000322594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll2023-01-27 11:22:58.784 11241100x8000000000000000322593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.781 11241100x8000000000000000322592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.775 11241100x8000000000000000322591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.775 11241100x8000000000000000322590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmdlocal_xl.dll2023-01-27 11:22:58.774 11241100x8000000000000000322589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.772 11241100x8000000000000000322588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.771{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.769 11241100x8000000000000000322587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.768 11241100x8000000000000000322586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.765 11241100x8000000000000000322585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.764 11241100x8000000000000000322584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.764{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL2023-01-27 11:22:58.759 11241100x8000000000000000322583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.753{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:22:58.747 11241100x8000000000000000322582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.747{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLL2023-01-27 11:22:58.747 11241100x8000000000000000322581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.743{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:22:58.743 11241100x8000000000000000322580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL2023-01-27 11:22:58.741 11241100x8000000000000000322579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:22:58.741 11241100x8000000000000000322578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.739{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL2023-01-27 11:22:58.737 11241100x8000000000000000322577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.738{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL2023-01-27 11:22:58.738 11241100x8000000000000000322576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.736{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWSS.DLL2023-01-27 11:22:58.736 11241100x8000000000000000322575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL2023-01-27 11:22:58.735 11241100x8000000000000000322574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACETXT.DLL2023-01-27 11:22:58.735 11241100x8000000000000000322573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL2023-01-27 11:22:58.734 11241100x8000000000000000322572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL2023-01-27 11:22:58.730 11241100x8000000000000000322571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.720{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL2023-01-27 11:22:58.654 11241100x8000000000000000322570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.661{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL2023-01-27 11:22:58.591 11241100x8000000000000000322569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.658{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL2023-01-27 11:22:58.591 11241100x8000000000000000322568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.593{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL2023-01-27 11:22:58.588 11241100x8000000000000000322567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.588{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL2023-01-27 11:22:58.586 11241100x8000000000000000322566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.576{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLL2023-01-27 11:22:58.575 11241100x8000000000000000322565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll2023-01-27 11:22:58.574 11241100x8000000000000000322564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll2023-01-27 11:22:58.574 11241100x8000000000000000322563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL2023-01-27 11:22:58.574 11241100x8000000000000000322562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\itircl55.dll2023-01-27 11:22:58.574 11241100x8000000000000000322561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\MSClientDataMgr\MSCDM.DLL2023-01-27 11:22:58.574 11241100x8000000000000000322560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL2023-01-27 11:22:58.573 11241100x8000000000000000322559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll2023-01-27 11:22:58.572 11241100x8000000000000000322558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.572{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll2023-01-27 11:22:58.559 11241100x8000000000000000322557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.559{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\hxds.dll2023-01-27 11:22:58.559 11241100x8000000000000000322556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll2023-01-27 11:22:58.558 11241100x8000000000000000322555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll2023-01-27 11:22:58.557 11241100x8000000000000000322554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE2023-01-27 11:22:58.557 11241100x8000000000000000322553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll2023-01-27 11:22:58.557 11241100x8000000000000000322552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL2023-01-27 11:22:58.556 11241100x8000000000000000322551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL2023-01-27 11:22:58.556 11241100x8000000000000000322550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib110.dll2023-01-27 11:22:58.555 11241100x8000000000000000322549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\v8jsi.dll2023-01-27 11:22:58.555 11241100x8000000000000000322548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrhw.dll2023-01-27 11:22:58.552 11241100x8000000000000000322547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrcs.dll2023-01-27 11:22:58.552 11241100x8000000000000000322546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\scdec.dll2023-01-27 11:22:58.552 11241100x8000000000000000322545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxbgt.dll2023-01-27 11:22:58.552 11241100x8000000000000000322544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-win32.dll2023-01-27 11:22:58.551 11241100x8000000000000000322543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-sdk.dll2023-01-27 11:22:58.550 11241100x8000000000000000322542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rdpqoemetrics.dll2023-01-27 11:22:58.550 11241100x8000000000000000322541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.550{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\protocolhandler.exe2023-01-27 11:22:58.549 11241100x8000000000000000322540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\officeappguardwin32.exe2023-01-27 11:22:58.548 11241100x8000000000000000322539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocrec.dll2023-01-27 11:22:58.548 11241100x8000000000000000322538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocimport.dll2023-01-27 11:22:58.547 11241100x8000000000000000322537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr110.dll2023-01-27 11:22:58.547 11241100x8000000000000000322536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msproof7.dll2023-01-27 11:22:58.547 11241100x8000000000000000322535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp110.dll2023-01-27 11:22:58.547 11241100x8000000000000000322534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotelemetry.dll2023-01-27 11:22:58.546 11241100x8000000000000000322533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotdaddin.dll2023-01-27 11:22:58.545 11241100x8000000000000000322532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotd.exe2023-01-27 11:22:58.545 11241100x8000000000000000322531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoianetutil.dll2023-01-27 11:22:58.544 11241100x8000000000000000322530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoia.exe2023-01-27 11:22:58.544 11241100x8000000000000000322529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoev.exe2023-01-27 11:22:58.544 11241100x8000000000000000322528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoetwres.dll2023-01-27 11:22:58.543 11241100x8000000000000000322527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.540{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoasb.exe2023-01-27 11:22:58.539 11241100x8000000000000000322526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoadfsb.exe2023-01-27 11:22:58.539 11241100x8000000000000000322525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msix.dll2023-01-27 11:22:58.539 11241100x8000000000000000322524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msfad.dll2023-01-27 11:22:58.538 11241100x8000000000000000322523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tkjp.dll2023-01-27 11:22:58.538 11241100x8000000000000000322522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tk.dll2023-01-27 11:22:58.538 11241100x8000000000000000322521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7.dll2023-01-27 11:22:58.537 11241100x8000000000000000322520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\misc.exe2023-01-27 11:22:58.537 11241100x8000000000000000322519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce_office.dll2023-01-27 11:22:58.534 11241100x8000000000000000322518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconvpxy.dll2023-01-27 11:22:58.534 11241100x8000000000000000322517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconv.exe2023-01-27 11:22:58.533 11241100x8000000000000000322516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync99.exe2023-01-27 11:22:58.533 11241100x8000000000000000322515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ssscreenvvs.dll2023-01-27 11:22:58.533 11241100x8000000000000000322514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\roottools.dll2023-01-27 11:22:58.533 11241100x8000000000000000322513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncModelProxy.dll2023-01-27 11:22:58.532 11241100x8000000000000000322512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncDesktopViewModel.dll2023-01-27 11:22:58.531 11241100x8000000000000000322511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync.exe2023-01-27 11:22:58.531 11241100x8000000000000000322510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnvpxy.dll2023-01-27 11:22:58.530 11241100x8000000000000000322509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnv.exe2023-01-27 11:22:58.529 11241100x8000000000000000322508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\csi.dll2023-01-27 11:22:58.527 11241100x8000000000000000322507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\atl110.dll2023-01-27 11:22:58.527 11241100x8000000000000000322506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\cpprestsdk.dll2023-01-27 11:22:58.526 11241100x8000000000000000322505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshvw.dll2023-01-27 11:22:58.526 11241100x8000000000000000322504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshcom.dll2023-01-27 11:22:58.526 11241100x8000000000000000322503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appsharingmediaprovider.dll2023-01-27 11:22:58.525 11241100x8000000000000000322502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLINTL32.COMMON.DLL2023-01-27 11:22:58.525 11241100x8000000000000000322501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLICONS.EXE2023-01-27 11:22:58.525 11241100x8000000000000000322500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLCALL32.DLL2023-01-27 11:22:58.524 11241100x8000000000000000322499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordconv.exe2023-01-27 11:22:58.523 11241100x8000000000000000322498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnvr.dll2023-01-27 11:22:58.523 11241100x8000000000000000322497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Host.dll2023-01-27 11:22:58.522 11241100x8000000000000000322496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.522{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnv.dll2023-01-27 11:22:58.484 11241100x8000000000000000322495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Win32MsgQueue.dll2023-01-27 11:22:58.481 11241100x8000000000000000322494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Loader.dll2023-01-27 11:22:58.480 11241100x8000000000000000322493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WINWORD.EXE2023-01-27 11:22:58.479 11241100x8000000000000000322492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WORDICON.EXE2023-01-27 11:22:58.472 11241100x8000000000000000322491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WWLIB.DLL2023-01-27 11:22:58.469 11241100x8000000000000000322490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WEBSANDBOX.DLL2023-01-27 11:22:58.468 11241100x8000000000000000322489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.447{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VPREVIEW.EXE2023-01-27 11:22:58.416 11241100x8000000000000000322488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.444{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWER.DLL2023-01-27 11:22:58.444 11241100x8000000000000000322487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.428{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWDWG.DLL2023-01-27 11:22:58.428 11241100x8000000000000000322486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.407{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VISSHE.DLL2023-01-27 11:22:58.406 11241100x8000000000000000322485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UccApi.dll2023-01-27 11:22:58.406 11241100x8000000000000000322484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UcMapi.exe2023-01-27 11:22:58.397 11241100x8000000000000000322483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Uc.dll2023-01-27 11:22:58.396 11241100x8000000000000000322482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TellMeRuntime.dll2023-01-27 11:22:58.396 11241100x8000000000000000322481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\URLREDIR.DLL2023-01-27 11:22:58.395 11241100x8000000000000000322480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SKYPESERVER.EXE2023-01-27 11:22:58.394 11241100x8000000000000000322479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCAddin.dll2023-01-27 11:22:58.395 11241100x8000000000000000322478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SFBAPPSDK.DLL2023-01-27 11:22:58.394 11241100x8000000000000000322477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SignalRClient.dll2023-01-27 11:22:58.392 11241100x8000000000000000322476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\STSLIST.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALPROVIDER.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALCONNECTOR.DLL2023-01-27 11:22:58.391 11241100x8000000000000000322473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOA.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SHAREPOINTPROVIDER.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SEQCHK10.DLL2023-01-27 11:22:58.390 11241100x8000000000000000322470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SETLANG.EXE2023-01-27 11:22:58.389 11241100x8000000000000000322469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SENDTO.DLL2023-01-27 11:22:58.389 11241100x8000000000000000322468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SELFCERT.EXE2023-01-27 11:22:58.388 11241100x8000000000000000322467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCRUNTIME140_APP.DLL2023-01-27 11:22:58.388 11241100x8000000000000000322466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCCORLIB140_APP.DLL2023-01-27 11:22:58.388 11241100x8000000000000000322465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelperBgt.exe2023-01-27 11:22:58.388 11241100x8000000000000000322464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelper.exe2023-01-27 11:22:58.387 11241100x8000000000000000322463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64C.DLL2023-01-27 11:22:58.387 11241100x8000000000000000322462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64.DLL2023-01-27 11:22:58.387 11241100x8000000000000000322461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST32.DLL2023-01-27 11:22:58.385 11241100x8000000000000000322460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCANPST.EXE2023-01-27 11:22:58.385 11241100x8000000000000000322459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvras.dll2023-01-27 11:22:58.385 11241100x8000000000000000322458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmpal.dll2023-01-27 11:22:58.384 11241100x8000000000000000322457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAEXT.DLL2023-01-27 11:22:58.384 11241100x8000000000000000322456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvrsplitter.dll2023-01-27 11:22:58.384 11241100x8000000000000000322455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmediamanager.dll2023-01-27 11:22:58.383 23542300x8000000000000000322454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.382{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC71DE7AD1A9072FE5B89CA695CE339,SHA256=9E3A7456C35653FDCC29B8FD26D26626296204C94B0563AE3BE89EED67BAC432,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmcodecs.dll2023-01-27 11:22:58.382 11241100x8000000000000000322452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTMPLTFM.dll2023-01-27 11:22:58.382 11241100x8000000000000000322451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTC.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\REFEDIT.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RECALL.DLL2023-01-27 11:22:58.381 11241100x8000000000000000322448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModelProxy.dll2023-01-27 11:22:58.381 11241100x8000000000000000322447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Psom.dll2023-01-27 11:22:58.380 11241100x8000000000000000322446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBTRAP.DLL2023-01-27 11:22:58.379 11241100x8000000000000000322445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModel.dll2023-01-27 11:22:58.379 11241100x8000000000000000322444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUB6INTL.COMMON.DLL2023-01-27 11:22:57.769 23542300x8000000000000000322443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.378{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD9A7151B04BA8D89EBF7DEA271F351,SHA256=13A2945213DC49BF919B3EA609AEFA08D4BEBF61FEFB084BDDCC464C9434228B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000322442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.515{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50978-false10.0.1.12-8000- 10341000x8000000000000000322441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.354{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000322434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000322433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.114{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000447528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.962{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2302872C5C00159385BB2BC00D616E68,SHA256=94F0FA3E506275F125F0A897FD1C6CEEDCADA7949A81CB8BAEC4050086D7C41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000322686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE4D21EE28888B75395BAAABF7F82F8,SHA256=67E3448C4C68C3FA347E94F4F2EC9333C1C126AE692131D310C3FD8DF41547BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\operfmon.exe2023-01-27 11:22:59.803 11241100x8000000000000000322684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:22:59.803 11241100x8000000000000000322683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL2023-01-27 11:22:59.803 11241100x8000000000000000322682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:22:59.803 11241100x8000000000000000322681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:22:59.802 11241100x8000000000000000322680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\offhud.dll2023-01-27 11:22:59.802 11241100x8000000000000000322679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL2023-01-27 11:22:59.802 11241100x8000000000000000322678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.802{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:22:59.801 11241100x8000000000000000322677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowercrash.dll2023-01-27 11:22:59.801 11241100x8000000000000000322676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:22:59.801 11241100x8000000000000000322675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:22:59.801 11241100x8000000000000000322674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:22:59.801 11241100x8000000000000000322673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:22:59.801 11241100x8000000000000000322672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WISC30.DLL2023-01-27 11:22:59.534 11241100x8000000000000000322671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL2023-01-27 11:22:59.534 11241100x8000000000000000322670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:22:59.794 11241100x8000000000000000322669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:22:59.794 23542300x8000000000000000322668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A009DA55755CA4F306A907D1B5C648F0,SHA256=4E4798186D503BD694217657BC60C3F55D8B94EC1261BCF6E4633E6B2C6A63D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000322667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL2023-01-27 11:22:59.533 11241100x8000000000000000322666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:22:59.531 11241100x8000000000000000322665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL2023-01-27 11:22:59.530 11241100x8000000000000000322664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL2023-01-27 11:22:59.530 11241100x8000000000000000322663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLL2023-01-27 11:22:59.527 11241100x8000000000000000322662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL2023-01-27 11:22:59.527 11241100x8000000000000000322661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:22:59.526 11241100x8000000000000000322660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:22:59.525 11241100x8000000000000000322657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:22:59.524 11241100x8000000000000000322656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL2023-01-27 11:22:59.274 11241100x8000000000000000322655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:22:59.273 11241100x8000000000000000322652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.272{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE2023-01-27 11:22:59.272 10341000x8000000000000000447527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.606{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.583{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.574{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.571{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.568{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.563{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.470{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.456{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.434{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.412{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.396{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.376{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.296{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 11241100x8000000000000000322651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:22:59.265 11241100x8000000000000000322650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE2023-01-27 11:22:59.250 11241100x8000000000000000322649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:22:59.250 11241100x8000000000000000322646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:22:59.244 11241100x8000000000000000322645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM3.DLL2023-01-27 11:22:59.249 11241100x8000000000000000322644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:22:59.245 11241100x8000000000000000322643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll2023-01-27 11:22:59.248 11241100x8000000000000000322642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLL2023-01-27 11:22:59.244 11241100x8000000000000000322641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:59.239 11241100x8000000000000000322640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE2023-01-27 11:22:59.239 11241100x8000000000000000322639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.236{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:59.235 11241100x8000000000000000322638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.235{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:59.234 11241100x8000000000000000322637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmsrv_xl.dll2023-01-27 11:22:58.984 11241100x8000000000000000322636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:59.233 11241100x8000000000000000322635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.233{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:58.989 10341000x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.956{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.939{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.933{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.931{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.919{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.909{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.898{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.895{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.867{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11AFDA5B5E8CF425AB4C2AAF1307F52,SHA256=698DA1CBC0FDA7AC157B8BCD05571EE9C02137501F7FC4D632322492D4CB256F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.852{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.845{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.842{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.839{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.807{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.800{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.798{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.793{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.792{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.791{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140.dll2023-01-27 11:23:00.791 10341000x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.791{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vccorlib140.dll2023-01-27 11:23:00.790 11241100x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20.DLL2023-01-27 11:23:00.790 10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.790{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140kor.dll2023-01-27 11:23:00.789 11241100x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_1.dll2023-01-27 11:23:00.789 11241100x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140.dll2023-01-27 11:23:00.789 11241100x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140u.dll2023-01-27 11:23:00.788 11241100x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140.dll2023-01-27 11:23:00.788 11241100x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.788{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140u.dll2023-01-27 11:23:00.777 10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.788{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.787{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_codecvt_ids.dll2023-01-27 11:23:00.777 11241100x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140rus.dll2023-01-27 11:23:00.777 11241100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_2.dll2023-01-27 11:23:00.777 11241100x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140cht.dll2023-01-27 11:23:00.777 11241100x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140ita.dll2023-01-27 11:23:00.777 11241100x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140fra.dll2023-01-27 11:23:00.777 11241100x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140enu.dll2023-01-27 11:23:00.777 11241100x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140deu.dll2023-01-27 11:23:00.777 11241100x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140jpn.dll2023-01-27 11:23:00.777 11241100x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140chs.dll2023-01-27 11:23:00.532 10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.668{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.661{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.655{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.653{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.646{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.619{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.617{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.608{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.534{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.532{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140esn.dll2023-01-27 11:23:00.530 11241100x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.529{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140.dll2023-01-27 11:23:00.526 11241100x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll2023-01-27 11:23:00.526 11241100x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\concrt140.dll2023-01-27 11:23:00.526 11241100x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll2023-01-27 11:23:00.525 10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.520{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 11241100x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll2023-01-27 11:23:00.513 11241100x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll2023-01-27 11:23:00.513 11241100x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll2023-01-27 11:23:00.512 11241100x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.512{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL2023-01-27 11:23:00.511 11241100x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL2023-01-27 11:23:00.247 10341000x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.506{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.474{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.458{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.437{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.405{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.373{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.352{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.340{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850) 10341000x8000000000000000447533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.295{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.292{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.288{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.286{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 10341000x8000000000000000447529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.284{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190) 11241100x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL2023-01-27 11:23:00.247 11241100x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.245{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL2023-01-27 11:23:00.242 11241100x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLL2023-01-27 11:23:00.241 11241100x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL2023-01-27 11:23:00.240 11241100x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:23:00.240 11241100x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll2023-01-27 11:23:00.239 11241100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL2023-01-27 11:23:00.239 11241100x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:23:00.239 11241100x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll2023-01-27 11:23:00.238 11241100x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL2023-01-27 11:23:00.238 11241100x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL2023-01-27 11:23:00.237 11241100x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.237{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:23:00.211 11241100x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL2023-01-27 11:23:00.211 11241100x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll2023-01-27 11:23:00.210 11241100x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.210{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL2023-01-27 11:23:00.210 11241100x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.206{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE2023-01-27 11:23:00.206 11241100x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL2023-01-27 11:23:00.204 11241100x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:23:00.200 11241100x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL2023-01-27 11:23:00.199 11241100x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL2023-01-27 11:23:00.197 11241100x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.196{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL2023-01-27 11:23:00.196 11241100x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\office.dll2023-01-27 11:23:00.184 11241100x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll2023-01-27 11:23:00.184 11241100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll2023-01-27 11:23:00.184 11241100x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelAddIn.dll2023-01-27 11:23:00.182 11241100x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.Diagram.dll2023-01-27 11:23:00.181 11241100x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll2023-01-27 11:23:00.181 11241100x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe2023-01-27 11:23:00.180 11241100x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Excel.dll2023-01-27 11:23:00.180 11241100x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dll2023-01-27 11:23:00.180 11241100x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll2023-01-27 11:23:00.180 11241100x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE2023-01-27 11:23:00.179 11241100x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR120.DLL2023-01-27 11:23:00.179 11241100x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll2023-01-27 11:23:00.177 11241100x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.177{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Inquire.dll2023-01-27 11:23:00.176 11241100x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll2023-01-27 11:23:00.176 11241100x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll2023-01-27 11:23:00.176 11241100x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll2023-01-27 11:23:00.175 11241100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll2023-01-27 11:23:00.175 11241100x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dll2023-01-27 11:23:00.175 11241100x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll2023-01-27 11:23:00.174 11241100x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dll2023-01-27 11:23:00.174 11241100x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll2023-01-27 11:23:00.174 11241100x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dll2023-01-27 11:23:00.173 11241100x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE2023-01-27 11:23:00.173 11241100x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe2023-01-27 11:23:00.173 11241100x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe2023-01-27 11:23:00.172 11241100x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.172{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe2023-01-27 11:23:00.168 11241100x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dll2023-01-27 11:23:00.168 11241100x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.AuditItems.dll2023-01-27 11:23:00.168 11241100x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll2023-01-27 11:23:00.168 11241100x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll2023-01-27 11:23:00.167 11241100x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll2023-01-27 11:23:00.167 11241100x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe2023-01-27 11:23:00.164 11241100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:23:00.164 11241100x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.162{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:23:00.160 11241100x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:23:00.160 11241100x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:23:00.159 11241100x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:23:00.157 11241100x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingChromeHook.dll2023-01-27 11:23:00.155 11241100x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.154 11241100x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.153 11241100x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.153 11241100x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.153 11241100x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.151{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.151 11241100x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.150{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.149 11241100x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.149{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.145 11241100x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.145 11241100x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.145 11241100x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.144 11241100x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.143 11241100x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.143 11241100x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.142 11241100x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.131 11241100x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.131 11241100x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.131 11241100x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.131{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dll2023-01-27 11:23:00.130 11241100x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.130{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll2023-01-27 11:23:00.130 11241100x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.129 11241100x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll2023-01-27 11:23:00.128 11241100x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:23:00.128 11241100x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.128 11241100x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:23:00.120 11241100x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:23:00.127 11241100x8000000000000000322727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:23:00.128 11241100x8000000000000000322726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.120{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:23:00.120 11241100x8000000000000000322725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:23:00.118 11241100x8000000000000000322724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:23:00.118 11241100x8000000000000000322723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:23:00.117 11241100x8000000000000000322722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:23:00.115 11241100x8000000000000000322721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:23:00.115 11241100x8000000000000000322720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:23:00.115 11241100x8000000000000000322719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:23:00.110 11241100x8000000000000000322718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:23:00.110 11241100x8000000000000000322717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:23:00.094 11241100x8000000000000000322713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:23:00.092 11241100x8000000000000000322712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:23:00.092 11241100x8000000000000000322711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:23:00.091 11241100x8000000000000000322710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:23:00.090 11241100x8000000000000000322709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:23:00.090 11241100x8000000000000000322708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:23:00.089 11241100x8000000000000000322707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:23:00.089 11241100x8000000000000000322706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:23:00.068 11241100x8000000000000000322705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrw.dll2023-01-27 11:23:00.068 11241100x8000000000000000322704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll2023-01-27 11:23:00.068 11241100x8000000000000000322703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:23:00.068 11241100x8000000000000000322702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.065 11241100x8000000000000000322701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.065 11241100x8000000000000000322700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL2023-01-27 11:23:00.064 11241100x8000000000000000322696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL2023-01-27 11:23:00.063 11241100x8000000000000000322695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL2023-01-27 11:23:00.063 11241100x8000000000000000322694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE2023-01-27 11:23:00.063 11241100x8000000000000000322693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe2023-01-27 11:23:00.062 11241100x8000000000000000322692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLL2023-01-27 11:23:00.062 11241100x8000000000000000322689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IETAG.DLL2023-01-27 11:23:00.061 11241100x8000000000000000322688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL2023-01-27 11:23:00.061 11241100x8000000000000000322687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Mi